CISA Logo

External Dependencies Management (EDM): Assessment Package

Aug 19, 2021 3:04 PM America/Denver

EDM Logo
REPORT FOR
EDM
Aug 19, 2021 3:04 PM America/Denver
UNITED STATES DEPARTMENT OF HOMELAND SECURITY
CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY

This document contains information from your institution and thus is your information to use as you see fit. you may distribute or disseminate it or its contents as you desire or are otherwise required by law.

For any questions regarding the EDM Assessment please email: cyberadvisor@hq.dhs.gov

Notification

This report is provided “as is” for informational purposes only. The Cybersecurity & Infrastructure Security Agency (CISA) does not provide any warranties of any kind regarding any information contained within. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages and including damages based on any negligence of the United States Government or its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of, or reliance upon the report. The CISA does not endorse any commercial product or service, including the subject of the analysis in this report. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

The display of the CISA official seal or other CISA visual identities on this report shall not be interpreted to provide the recipient organization authorization to use the official seal, insignia or other visual identities of the Department of Homeland Security. The CISA seal, insignia, or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by CISA or the United States Government. Use of the CISA seal without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against CISA policies governing usage of its seal.

External Dependencies Management Assessment for EDM

1. Introduction

Representatives of the Cybersecurity & Infrastructure Security Agency (CISA) conducted an External Dependencies Management Assessment (EDM Assessment) at your organization. The EDM Assessment focuses on practices to manage risks associated with external dependencies, especially risks related to information and communications technology (ICT). This type of risk — also commonly called supply chain or third party risk — is of particular concern to many organizations, which increasingly have a large number of external dependencies. Organizations face inherent uncertainty in managing complex, rapidly changing, arms-length relationships involving technology. They also face a threat environment that exacerbates these concerns. The EDM Assessment helps by providing an efficient, effective way to measure and report on an organization's capability to manage this risk.

External dependencies exist when external entities have defined obligations or relationships with assets or services that your organization requires to support its business objectives and mission. Examples include third parties that provide, operate, control, have access to, own, or have other responsibilities over key ICT and related assets.

The Assessment is based on the principle that external dependencies require systematic management over their lifecycle. It poses a series of questions that provide insights into how an organization can improve its ability to manage dependency risks. Answers were gathered from key staff and subsequently scored according to a system similar to the Department of Homeland Security Cyber Resilience Review (CRR). The details are provided below.

2. Overview and Scope of the External Dependencies Management Assessment (EDM Assessment)

The EDM Assessment consists of a structured, facilitated interview of key personnel which takes a half day to complete. Its goal is to measure and report on the organization's cybersecurity practices as they relate to managing external dependencies and their associated risks. The assessment is derived from the Department of Homeland Security Cyber Resilience Review (CRR) and the external dependencies management process area of the Carnegie Mellon University CERT® Resilience Management Model (CERT-RMM). All of these resilience management resources use a common methodology. This provides an organized, actionable approach to managing cybersecurity risk based on a comprehensive array of industry standards and leading practices.

External Dependencies Management establishes and manages an appropriate level of controls to ensure the resilience of services and assets that are dependent on the actions of external entities. (CERT Resilience Management Model, 2010)

The EDM Assessment's approach is broad in that the organization is assessed against a range of external dependencies. Examples of dependencies include external entities that provide

  1. services that explicitly involve the operation, maintenance, or provisioning of ICT for the organization. Examples of these services include cloud services, data hosting, on-site maintenance services, and the operation of control systems to support the organization.
  2. services supported by ICT, including any type of service that is appreciably supported through the use of information and communications technology. Examples vary by critical infrastructure sector. In the energy sector, they may involve upstream or downstream components that extract or transport energy. In the financial sector, examples may include the printing of account statements by the subcontractor to a banking institution.
  3. governmental services, such as fire and police response to protect data centers. or
  4. infrastructure services such as electricity, telecommunications networks, or transportation assets.
  5. technology products and services such as hardware and software that is utilized by the organization to provided services to its customers.

2.1 Flexibility of the Approach

The EDM Assessment is designed to be a universal assessment method to evaluate the external dependency risk and resilience management capabilities of any critical infrastructure organization, regardless of the sector or the critical service the organization provides. It is intended to be useful regardless of whether the organization has well-defined resilience and risk management processes, is undertaking an effort to improve their resilience and risk management processes, or is just starting to examine the subject of external dependency risk. Ultimately, it is up to individual organizations to determine which EDM domains and practices are most relevant to their needs.

2.2 Critical Service Scope

The EDM Assessment has a service orientation, meaning that it is intended to assess the organization's management of external dependencies relative to a specific critical service. A critical service is defined as:

A set of activities an organization carries out in the performance of a duty or in the production of a product that is so critical to the organization's success that its disruption would severely impact continued operations or success in meeting the organization's mission.

Organizations typically have a set of critical services that define their mission. The selection of a critical service for assessment — rather than assessing the organization as a whole — helps to scope the assessment and tie the results to the organization's mission capabilities. For your organization the critical service assessed was:

3. Interpreting this Report

External dependencies involve acquiring and using ICT-related goods and services from external entities (third parties). Therefore, your organization is referred to as the “acquirer” in this report.

The report summarizes assessment findings and provides options for consideration in each category. These options outline general guidelines or activities that can be used to improve External Dependencies Management and the resilience of the critical service assessed. Sources include the CERT® Resilience Management Model (CERT-RMM), SEI-CMMI for Acquisition, National Institute of Standards and Technology (NIST) resources, the IT Infrastructure Library (ITIL), International Standards Organization (ISO) documents, and other cybersecurity standards. This material is not intended to fully represent all activities needed for a robust EDM program, but does provide initial guidance on how to incorporate various cybersecurity practices.

The guidance provided in this report includes NIST Special Publications and the NIST Cybersecurity Framework developed in conjunction with the private sector. These documents are extensively used by United States Federal civilian agencies; state, local, and tribal governments; and private sector organizations.

The EDM Assessment is an interview-based assessment. No documentary evidence or artifacts are examined or obtained during the assessment. Organizational performance is presented across several dimensions (e.g., contracts, third party oversight, controls, disruption management, and situational awareness) within the report. Scores are provided for individual Practices, Goals, and Domains.

While the EDM Assessment is derived in part from CERT RMM, the results do not constitute a formal appraisal against it. Detailed information about CERT-RMM can be found at www.cert.org/resilience. Options for Consideration appearing in italics have been derived from the Specific Goals (SG) and Specific Practices (SP) sections of CERT-RMM.

3.1 EDM Assessment Structure

The EDM Assessment examines organizations for specific EDM practices and capabilities. They are organized into three domains that support the lifecycle of external relationships.

  1. Relationship Formation — activities that support the formation of relationships and dependencies on external entities. They include planning how the organization forms relationships, the selection and evaluation of suppliers and other entities, managing formal agreements, and incorporating EDM into the organization's risk management processes.
  2. Relationship Management and Governance — ongoing management of external dependencies. Relationship management and governance includes a range of capabilities, such as ongoing risk management, supplier performance management, integrating external entities into internal processes such as change and capacity management, managing supplier transitions, and controlling the access of external entities to the organization.
  3. Service Protection and Sustainment — incorporates dependence on external entities into the organization's processes to protect and sustain high-value services. These activities include situational awareness, service continuity, and incident management.

The assessment also evaluates the organization's capability to sustain and refine these practices over time. These questions involve the planning, governance, measurement and standardization of EDM practices so that they are retained and effective during times of stress and disruption. Collectively, the organization's performance of basic practices and higher levels of practice to sustain an EDM capability comprise its maturity. This is described in Section 3.4.

3.2 External Entity Types

Organizations typically rely on a range of different external entities to help them satisfy their mission and provide critical services. The organization's ability to manage these third parties may vary widely based on factors that include the degree of choice an organization has in selecting suppliers or other external entities; the organization's ability to drive behavior at the external entity; and the specific services provided.

To comprehensively measure the EDM capability of the organization and ensure completeness, several questions ask about practices performed with respect to different types of external entities. The external entity types used are

Supplier — external entities that provide ICT-related goods and services and with which the acquirer has some ability to negotiate. These entities may also be called subcontractors or vendors. Depending on scoping and the needs of the organization, this category may also apply to supporting affiliates or separate business units of the larger enterprise. Examples of these suppliers include centrally managed IT or other business services. These relationships are sometimes governed by Operational Level Agreements.

Governmental services — services provided by a governmental department or agency. These services frequently involve security; for example fire, police, and emergency response. Other examples include postal services and cybersecurity information providers like the CISA National Cybersecurity and Communications Integration Center (NCCIC).

Infrastructure providers — supplies goods or services to a region, economy, infrastructure sector, or political subdivision; however, the acquirer normally has no commercially practical ability to negotiate with this type of supplier. Examples of infrastructure providers include natural gas, water, power, or transportation.

These entity types are defined more fully in the glossary (79).

3.3 Asset Types

A fundamental principle in the EDM Assessment is that organizations depend on a variety of ICT or cyber-related assets to provide critical services. External dependencies frequently exist when third parties have obligations or other relationships with respect to these assets. To support the accuracy and completeness of the assessment, several questions involve specific practices with respect to each category of assets. These asset categories are

People — for example, the staff that support data centers or otherwise use information and communications technology

Information — for example, account information and personal health information

Technology — for example, computers, software, and control systems

Facilities — for example, offices or data centers.

3.4 Maturity Indicator Levels

A Maturity Indicator Level (MIL) is assigned to the organization's External Dependencies Management capability. It represents a consolidated view of performance. The EDM maturity indicator level is automatically scored by the assessment tool and is displayed graphically for easy reference.

Maturity Indicator Levels describe attributes that are indicative of mature capabilities as represented in CERT-RMM. However, they are not a formal appraisal or certification of maturity, which are only assigned through a formal appraisal process that includes examination of documentation and other artifacts.

Maturity Level IndicatorDescription
MIL-0 IncompleteIndicates that Practices in the Domain are not being fully performed as measured by responses to the relevant EDM questions.
MIL-1 PerformedIndicates that all Practices in the EDM domains are performed as measured by responses to the relevant EDM questions. MIL-1 means that there is sufficient and substantial support for the existence of the practices.
MIL-2 PlannedIndicates that all EDM Practices are not only performed, but are supported by sufficient planning, stakeholders, and relevant standards and guidelines. A planned process or practice is
  • established by the organization (Is there a policy that establishes the importance and guidelines for external dependencies management?)
  • planned (Is the practice performed according to a documented plan? Are the relevant processes explained?)
  • supported by stakeholders (Are the stakeholders of the practice known, and are they aware of the practice or process and their role in it?)
  • supported by relevant standards and guidelines (Have the standards and guidelines that support the practice been identified and implemented?)
MIL-3 ManagedIndicates that all EDM Practices are performed, planned, and have the basic infrastructure in place to support the process. A managed process or practice is
  • governed by the organization (Is there appropriate oversight of the performance of the practice or process?)
  • appropriately staffed and funded (Are the staff and funds necessary to perform the practice as intended available?)
  • managed for risk (Are risks related to the performance of the practice identified, analyzed, disposed of, monitored, and controlled?)
MIL-4 MeasuredIndicates that all EDM Practices in a Domain are performed, planned, managed, monitored, and controlled. A measured process or practice is
  • periodically evaluated for effectiveness (Is the practice or process effective and producing intended results?)
  • monitored and controlled (Are appropriate implementation and performance measures identified, applied, and analyzed?)
  • objectively evaluated against its practice description and plan (Are the organization and staff actually following the process or practice? Does the organization have controls in place to identify deviations?)
  • periodically reviewed with higher level management (Is higher level management aware of any issues related to the performance of the practice?)
MIL-5 PerformedIndicates that all EDM Practices in a Domain are performed, planned, managed, monitored, controlled, and consistent across all internal constituencies who have a vested interest in the performance of the practice. A defined process or practice ensures that an enterprise benefits from consistent processes across organizational units and that lessons learned are shared across the enterprise. The MIL-5 level of maturity is sometimes more relevant for larger enterprises charged with managing or providing guidance to dispersed business units. At MIL-5, a process or practice
  • is defined by the enterprise (Is there an enterprise-sponsored definition of the process that applies to every business unit or sub-component?)
  • includes tailoring guidance for business units. (Are there guidelines or guidance that explain how business units can tailor the enterprise process for their own unique operating environment? An example might include dealing with local or jurisdictional legal differences when entering into formal agreements with suppliers.)
  • is supported by improvement information that is collected by and shared among organizational units for the overall benefit of the enterprise (Are practice improvements documented and shared across internal constituencies so that the enterprise as a whole benefits from these improvements?)

The EDM Assessment uses one maturity scale for all three domains because the domains represent different parts of a lifecycle - from forming external relationships to managing incidents and consequences - rather than representing a fundamentally different capability. Ideally, higher level management should manage, measure, and oversee the organization's external dependencies management capability across this complete lifecycle.

3.5 Assessment Scoring Rules

This section describes the scoring rules that are used in the EDM Assessment.
  1. Practices are either performed (answer =”Yes”), incompletely performed (answer = “Incomplete”), or not performed (answer = “No”).
  2. A goal is achieved only if all practices are performed.
  3. A Domain is achieved at MIL-1 if all the Goals in the Domain are achieved.
  4. External Dependencies Management can be achieved at higher levels depending on the existence of practices at the higher MIL levels (MIL-2 through MIL-5).
Scoring Rubric
Step 1
Each Practice in a Domain is scored as follows.
  • performed when the question is answered with a “Yes” (green)
  • incompletely performed when the question is answered with an “Incomplete” (yellow)
  • not performed when a question is answered with a “No” (red)
Step 2
Each Goal within the Domain is then scored as follows.
  • achieved when all practices are performed (green)
  • partially achieved when some practices are performed (yellow)
  • not achieved when no practices are performed (red)
Step 3
External Dependencies Management is assigned a MIL level based on the following criteria.
  • MIL-0 if only some of the goals are achieved
  • MIL-1 if all of the goals are achieved in each domain
  • MIL-2 if MIL-1 is achieved and all of the MIL-2 questions are answered YES
  • MIL-3 if MIL-2 is achieved and all of the MIL-3 questions are answered YES
  • MIL-4 if MIL-3 is achieved and all of the MIL-4 questions are answered YES
  • MIL-5 if MIL-4 is achieved and all of the MIL-5 questions are answered YES

EDM MIL-1 Performance Summary

EDM MIL-1 Summary
Total number of practices performed
Total number of practices incompletely performed
Total number of practices not performed
18
0
72
20%
Percentage of practices fully performed
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
PRACTICE LEVEL PERFORMANCE SUMMARY
Relationship Formation - MIL-1
6
0
22
21%
Goal 1 – Acquirer service and asset priorities are established.
1
3
Goal 2 – Forming relationships with external entities is planned.
1
3
Goal 3 – Risk management includes external dependencies.
1
4
Goal 4 – External entities are evaluated.
1
3
Goal 5 – Formal agreements include resilience requirements.
1
5
Goal 6 – Technology asset supply chain risks are managed.
1
4
Relationship Management and Governance - MIL-1
7
0
35
17%
Goal 1 – External dependencies are identified and prioritized.
1
4
Goal 2 – Supplier risk management is continuous.
1
5
Goal 3 – Supplier performance is governed and managed.
4
Goal 4 – Change and capacity management are applied to external dependencies.
1
10
Goal 5 – Supplier transitions are managed.
1
2
Goal 6 – Infrastructure and governmental dependencies are managed.
1
4
Goal 7 – External entity access to acquirer assets is managed.
2
6
Service Protection and Sustainment - MIL-1
5
0
15
25%
Goal 1 – Disruption planning includes external dependencies.
2
5
Goal 2 – Planning and controls are maintained and updated.
2
4
Goal 3 – Situational awareness extends to external dependencies.
1
6

EDM MIL 1-5 Performance Summary

MIL-1 Performed:
Relationship Formation
G1
Q1
Q2
Q3
Q4
G2
Q1
Q2
Q3
Q4
G3
Q1
2S
2IP
2GS
Q3
G4
Q1
Q2
Q3
Q4
G5
Q1
Q2
Q3
Q4
Q5
Q6
G6
Q1
Q2
Q3
Q4
Q5

Relationship Management and Governance
G1
1S
1IP
1GS
Q2
Q3
G2
Q1
Q2
Q3
Q4
Q5
Q6
G3
Q1
Q2
Q3
Q4
G4
1I
1T
1F
1P
2I
2T
2F
2P
Q3
Q4
Q5
G5
Q1
Q2
Q3
G6
Q1
Q2
Q3
Q4
Q5
G7
Q1
Q2
3I
3T
3F
4I
4T
4F

Service Protection and Sustainment
G1
Q1
Q2
Q3
4IM
4SC
5IM
5SC
G2
1IM
1SC
2IM
2SC
Q3
Q4
G3
Q1
Q2
3S
3IP
Q4
Q5
Q6
MIL-2 Planned:MIL-3 Managed:MIL-4 Measured:MIL-5 Defined:
Domain practices are supported by planning, policy, stakeholders, and standards.Domain practices are supported by governance and adequate resources.Domain practices are supported by measurement, monitoring, and executive oversight.Domain practices are supported by enterprise standardization and analysis of lessons learned.
1. Is there a documented plan for performing external dependencies management?1. Is there management oversight of the performance of external dependencies management?1. Are external dependencies management activities measured and periodically reviewed to ensure they are effective and producing intended results?1. Has the acquirer identified, described, and disseminated standard external dependencies management processes that apply across the enterprise?
2. Is there a documented policy for external dependencies management?2. Are the acquirer’s external dependencies management processes periodically reviewed to identify and manage risks to these processes?2. Are external dependencies management activities periodically reviewed to ensure they are adhering to the plan?2. Has the acquirer provided individual operating units with guidelines to help them tailor standard enterprise processes to fit their unique operating circumstances?
3. Does the plan or policy identify and describe external dependencies management processes?3. Have qualified staff been assigned to perform external dependencies management activities as planned?3. Is higher level management aware of issues related to the performance of external dependencies management?3. Are improvements or changes to external dependency management documented and shared across the acquirer enterprise?
4. Have internal and external stakeholders for external dependencies management activities been identified and made aware of their cybersecurity roles?4. Is there adequate funding to perform external dependencies management activities as planned?
5. Have external dependencies management standards, guidelines and roles been established and implemented?
Legend

1(X) = Question Number (Subquestion Abbreviation)

= Performed
= Incompletely Performed
= Not Performed
S= Suppliers
IP= Infrastructure Providers
G= Governmental Services
I= Information
T= Technology
F= Facilities
P= People
IM= Incident Management
SC= Service Continuity

NIST Cybersecurity Framework Summary

NIST CSF Summary
47
0
106
31%
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
The External Dependencies Management Assessment (EDM) has as its focus external dependency risk (aka supply chain risk), and as such is not designed to directly map to all of the Cybersecurity Framework (CSF) categories or sub-categories. A companion product, the Cyber Resilience Review (CRR) which is intended as a comprehensive cybersecurity assessment tool, does map to all of the CSF.
Function
Category
Identify (ID)
33
0
68
33%
ID.AM
Asset Management
3
1
ID.BE
Business Environment
4
14
ID.GV
Governance
4
ID.RA
Risk Assessment
3
10
ID.RM
Risk Management Strategy
1
2
ID.SC
Supply Chain Risk Management
22
37
Protect (PR)
13
0
30
30%
PR.AC
Access Control
7
12
PR.AT
Awareness and Training
1
PR.DS
Data Security
Not Applicable
PR.IP
Information Protection Processes and Procedures
5
11
PR.MA
Maintenance
1
6
PR.PT
Protective Technology
Not Applicable
Detect (DE)
0
0
4
0%
DE.AE
Anomalies and Events
1
DE.CM
Security Continuous Monitoring
3
DE.DP
Detection Processes
Not Applicable
Respond (RS)
1
0
4
20%
RS.RP
Response Planning
Not Applicable
RS.CO
Communications
1
2
RS.AN
Analysis
1
RS.MI
Mitigation
1
RS.IM
Improvements
Not Applicable
Recover (RC)
0
0
0
0%
RC.RP
Recovery Planning
Not Applicable
RC.IM
Improvements
Not Applicable
RC.CO
Communications
Not Applicable

EDM MIL-1 Performance

EDM MIL-1 Summary
Total number of practices performed
Total number of practices incompletely performed
Total number of practices not performed
18
0
72
20%
Percentage of practices fully performed
Legend

1(X) = Question Number (Subquestion Abbreviation)

= Performed
= Incompletely Performed
= Not Performed
S= Suppliers
IP= Infrastructure Providers
G= Governmental Services
I= Information
T= Technology
F= Facilities
P= People
IM= Incident Management
SC= Service Continuity
PRACTICE LEVEL PERFORMANCE SUMMARY
Relationship Formation - MIL-1
6
0
22
21%
Goal 1 – Acquirer service and asset priorities are established.
Q1
Q2
Q3
Q4
Goal 2 – Forming relationships with external entities is planned.
Q1
Q2
Q3
Q4
Goal 3 – Risk management includes external dependencies.
Q1
2S
2IP
2GS
Q3
Goal 4 – External entities are evaluated.
Q1
Q2
Q3
Q4
Goal 5 – Formal agreements include resilience requirements.
Q1
Q2
Q3
Q4
Q5
Q6
Goal 6 – Technology asset supply chain risks are managed.
Q1
Q2
Q3
Q4
Q5
Relationship Management and Governance - MIL-1
7
0
35
17%
Goal 1 – External dependencies are identified and prioritized.
1S
1IP
1GS
Q2
Q3
Goal 2 – Supplier risk management is continuous.
Q1
Q2
Q3
Q4
Q5
Q6
Goal 3 – Supplier performance is governed and managed.
Q1
Q2
Q3
Q4
Goal 4 – Change and capacity management are applied to external dependencies.
1I
1T
1F
1P
2I
2T
2F
2P
Q3
Q4
Q5
Goal 5 – Supplier transitions are managed.
Q1
Q2
Q3
Goal 6 – Infrastructure and governmental dependencies are managed.
Q1
Q2
Q3
Q4
Q5
Goal 7 – External entity access to acquirer assets is managed.
Q1
Q2
3I
3T
3F
4I
4T
4F
Service Protection and Sustainment - MIL-1
5
0
15
25%
Goal 1 – Disruption planning includes external dependencies.
Q1
Q2
Q3
4IM
4SC
5IM
5SC
Goal 2 – Planning and controls are maintained and updated.
1IM
1SC
2IM
2SC
Q3
Q4
Goal 3 – Situational awareness extends to external dependencies.
Q1
Q2
3S
3IP
Q4
Q5
Q6

Summary Results

Percentage of Complete Practices by MIL
Legend
 
 
 
% YES
MIL Score
0%10%20%30%40%50%60%70%80%90%100%
Maturity Indicator Level - Organizational Capacity
MIL-1
RELATIONSHIP LIFECYCLE
Relationship Formation
6 of 28 Practices
 
Relationship Management and Governance
7 of 42 Practices
 
Service Protection and Sustainment
5 of 20 Practices
 
MIL-2 Planned
1 of 5 Practices
 
MIL-3 Managed
1 of 4 Practices
 
MIL-4 Measured
1 of 3 Practices
 
MIL-5 Defined
0 of 3 Practices
 
0%10%20%30%40%50%60%70%80%90%100%
Maturity Indicator Level *
Your Organization
.
0
0.25
0.50
0.75
MIL-1
MIL-2
MIL-3
MIL-4
MIL-5
Maturity Indicator Levels provide a combined measurement of the completeness of EDM practices, as well as the enterprise management activities necessary to ensure that this capability is sustained over time, despite disruptions or organizational changes. The MIL scale is cumulative; each MIL level must be complete before achieving a higher MIL is possible. Viewed collectively, these depictions provide an understanding of overall performance. While achieving a certain Maturity Indicator Level is one possible process improvement objective, it may not be the most importantobjective for every organization or in every context.

Relationship Formation - MIL-1

Goal 1
Q1
Q2
Q3
Q4
Goal 2
Q1
Q2
Q3
Q4
Goal 3
Q1
Q2
S
IP
GS
Q3
Goal 4
Q1
Q2
Q3
Q4
Goal 5
Q1
Q2
Q3
Q4
Q5
Q6
Goal 6
Q1
Q2
Q3
Q4
Q5

The purpose of Relationship Formation is to assess whether the acquirer evaluates and controls the risks of relying on external entities before entering into relationships with them. Relationship Formation includes understanding the acquirer’s critical services, having a process for entering into formal relationships, and evaluating external entities. A key aspect of Relationship Formation is identifying resilience requirements as the basis for risk management and formal agreements. Resilience requirements typically focus on integrity, confidentiality, and availability, but can also include other requirements important to the critical service.

Goal 1 – Acquirer service and asset priorities are established.
The purpose of this goal is to assess whether the acquirer has identified its own critical services, assets, and control objectives because these are fundamental activities for effectively managing external dependencies.
1. Are the acquirer’s services identified and documented across the enterprise?
No
2. Are the acquirer’s services prioritized based on an analysis of the potential impact if the services are disrupted?
N/A
3. Are the acquirer’s assets that directly support the critical service inventoried?
Yes
4. Have control objectives been established for acquirer assets that support the critical service(s)?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM Reference

[SC:SG2.SP1] Identify the acquirer's high-value services

A fundamental risk management principle is to focus on activities to protect and sustain services and assets that most directly affect the acquirer's ability to achieve its mission. This practice refers to identifying the assessed acquirer's high-value services, which it provides to its customers and other stakeholders.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, The Fundamentals, 2.1 Multitiered Risk Management.

To integrate the risk management process throughout the organization and more effectively address mission/business concerns, a three-tiered approach is employed that addresses risk at the: (i) organizational level; (ii) mission/business process level; and (iii) information system level.

Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions --promoting cost-effective, efficient information technology solutions consistent with the strategic goals and objectives of the organization and measures of performance.

NIST CSF References: ID.BE

Q2

CERT-RMM Reference

[SC:SG2.SP1] Identify the acquirer's high-value services

Prioritize and document the list of high-value services that must be provided if a disruption occurs. Consideration of the consequences of the loss of high-value acquirer services is typically performed as part of a business impact analysis. In addition, the consequences of risks to high-value services are identified and analyzed in risk assessment activities. The acquirer must consider this information when prioritizing high-value services.

Additional References

NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems,”

3.2.3 Identify System Resource Recovery Priorities, 16-18.

Recovery priorities can be effectively established taking into consideration mission/business process criticality, outage impacts, tolerable downtime, and system resources. The result is an information system recovery priority hierarchy. The ISCP Coordinator should consider system recovery measures and technologies to meet the recovery priorities.

NIST CSF References: ID.AM-5, ID.BE

Q3

CERT-RMM Reference

[ADM:SG1.SP1] Inventory assets

An acquirer must be able to identify its high-value assets, document them, and establish their value. This is done in order to develop strategies for protecting and sustaining assets commensurate with their value to services. The term high-value assets refers both to assets that are internal to the assessed acquirer and those that are owned, maintained, provided, etc. by external entities.

Additional References

NIST Special Publication 800-18 Revision 1, “Guide for Developing Security Plans for Federal Information Systems,” 2-3.

NIST CSF References: ID.AM-1, ID.AM-2, ID.AM-4

Q4

CERT-RMM Reference

[CTRL:SG1.SP1] Define control objectives

Define and document control objectives that result from management directives and guidelines. Affinity analysis of directives and guidelines may be useful in identifying categories of control objectives.

These are examples of control objectives:

  • prevent unauthorized use of purchase orders
  • ensure adequate supplies of materials
  • establish an enterprise architecture for information technology
  • all outside support personnel are identified
  • identify and assess risks that may cause material misstatements of financial records
  • educate and train staff
  • ensure the confidentiality and integrity of customers' payment information
  • establish a compliance program

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, 2.1 Multitiered Risk Management.

The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program for the management of risk --that is, the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

NIST CSF References: ID.BE-5, ID.GV-3

Goal 2 – Forming relationships with external entities is planned.
The purpose of this goal is to assess whether the acquirer has processes in place to enter into relationships and formal agreements with external entities.
1. Does the acquirer have an established process for entering into formal agreements with external entities?
Alternate
2. Has the acquirer identified and documented baseline (boilerplate) requirements that apply to any supplier that supports the critical service?
No
3. Does the acquirer have a process to identify and document resilience requirements for specific external entities (suppliers, infrastructure providers, and governmental services) that support the critical service?
N/A
4. Does the acquirer’s process to enter into formal agreements with suppliers ensure that resilience requirements are considered before entering into agreements?
Yes
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities.

External entities should be selected according to an organized and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the acquirer's specifications.

NIST Reference

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12 Supply Chain Protection.

Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls.

Additional References

ITIL Service Strategy, The Stationery Office, 2011, Best Management Practice. Section 3.7, “Sourcing Strategy,” 117-125.

NIST CSF References: ID.BE-1, ID.SC-1, ID.SC-2, ID.SC-3

Q2

CERT-RMM Reference

[EXD:SG3.SP1] Establish Enterprise Specifications for External Dependencies

When external entities support the execution of the organization's services, they become an extension of the organization and should be subject to the same or similar policies, standards, and guidelines as the organization's staff. These enterprise level policies, standards and guidelines must be translated to a set of enterprise-level specifications and reflected in agreements with each external entity to ensure a seamless implementation of the organization's resilience strategy.

NIST Reference

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, The Fundamentals, 2.1.

Basic practices include ensuring that federal department and agency acquirers understand the cost and scheduling constraints of the practices, integrating information security requirements into the acquisition language, using applicable baseline security controls as one of the sources for security requirements, ensuring a robust software quality control process, and establishing multiple delivery routes for critical system elements.

Additional References

ISO 27036-3, “Information Technology - Security techniques-Information Security for Supplier Relationships,” Part 3, 6.1.1, 7.

NIST CSF References: ID.BE-1, ID.GV-3, ID.SC-3, PR.IP-5

Q3

CERT-RMM Reference

[EXD:SG3.SP2] Establish Resilience Specifications for External Entities.

For each external dependency, establish a list of resilience specifications that apply to the responsible external entity. The process for determining and documenting the resilience specifications that apply to an external dependency and entity will vary based on the action of the entity in relation to the acquirer's operations, the priority of the external dependency, and the management structure within the acquirer. At a minimum, the resilience specifications should include a clear and definitive statement of the external entity's services, support, products, assets, or staff on which the acquirer relies.

Requirements should be gathered and documented for each type of external dependency. Even in cases where it is not practical to include these requirements in formal agreements with external entities, they are useful as a way to assess and manage risks against external dependencies.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 3.2.3 Define/Develop Requirements

The acquirer mission/business owner or their designee, with assistance from the procurement official and other members of the SCRM team, if applicable, should define and document requirements for the procurement. During this process, mission, functionality, quality, and security requirements should be developed and documented. This process will identify the requirements for the procurement and how these requirements will apply to the specific items of supply (elements and processes).

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships, ” Requirements Introduction.

NIST CSF References: ID.BE-1, ID.BE-5, ID.SC-3

Q4

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities

From a resilience perspective, the selection process for external entities is often an extension of or supplement to the organization's standard procurement processes. Resilience specifications may simply serve as additional requirements for consideration and evaluation as part of the standard procurement process. In all cases, due diligence should be performed on candidate external entities to evaluate their ability to meet the resilience specifications that have been established for the actions they hope to perform for the organization.

In some cases, external entities cannot be selected from a pool of candidates; they may be inherited in the course of an acquisition or merger or they may be the only provider of a high-value service on which the organization depends (this is often the case for public services). In cases in which external entities cannot be selected, the due diligence process for selection should still be performed to identify any specifications that are not met by the external entity. It may be appropriate to alter the specifications by changing the actions or nature of the dependence on the external entity to resolve the unmet specifications. In cases where the specifications cannot be changed, any unmet specifications should be treated as risks.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA12(2) Supply Chain Protection | Supplier Reviews.

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. Supplemental Guidance: Supplier reviews include, for example: (i) analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services; and (ii) assessment of supplier training and experience in developing systems, components, or services with the required security capability. These reviews provide organizations with increased levels of visibility into supplier activities during the system development life cycle to promote more effective supply chain risk management. Supplier reviews can also help to determine whether primary suppliers have security safeguards in place and a practice for vetting subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractors.

ITIL Service Strategy, The Stationery Office, 2011, Best Management Practice. Section 3.7, “Sourcing Strategy,” 117-125.

NIST CSF References: ID.BE-1, ID.BE-4, ID.SC-3

Goal 3 – Risk management includes external dependencies.
The purpose of this goal is to assess whether the acquirer's risk management process includes external dependency risk.
1. Has a plan for managing operational risk been established and agreed to by Stakeholders?
Unanswered
2. Are the risks of relying on external entities to support the critical service identified and managed (accepted, transferred, mitigated, etc.)?
2.1 Suppliers
No
2.2 Infrastructure providers
N/A
2.3 Governmental services
Yes
3. Does the acquirer identify and manage the risk of an external entity being a single point of failure?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM Reference

[RISK:SG1.SP2] Establish a Risk Management Strategy

Because of the pervasive nature of operational risk, a comprehensive operational risk management strategy is needed to ensure proper consideration of risk and the effects on operational resilience. The strategy provides a common foundation for the performance of operational risk management activities (which are typically dispersed throughout the organization) and for the collection, coordination, and elevation of operational risk to the organization's enterprise risk management process.

Preparation for operational risk management requires the organization to develop and maintain a strategy for identifying, analyzing, and mitigating operational risks. This strategy is documented in a risk management plan and addresses the activities that the organization performs enterprise-wide to carry out a continuous risk management program. This includes identifying the sources and types of operational risk and establishing a strategy that details the organization's approach, activities, and objectives for managing these risks as a fundamental operational resilience management process

Additional References

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View,” 2.1 Components of Risk Management.

Managing risk is a complex, multifaceted activity that requires the involvement of the entire organization

--from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization's missions/business functions. Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.

NIST CSF References: ID.GV-4, ID.RM-1, ID.SC-1

Q2

CERT-RMM References

[EXD:SG2.SP1] Identify Risks Due to External Dependencies.

Identification of risks due to external dependencies requires an understanding of the actions of the associated external entity in the operation, support, or resilience of the organization's services. External entities will be responsible for varying dependencies in the support of the organization's operations.

[RISK:SG1:SP1] Determine Risk Sources and Categories.

The sources of risk to assets and services are identified and the categories of risk that are relevant to the organization are determined.

Identifying risk sources helps the organization to determine and categorize the types of operational risk that are most likely to affect day-to-day operations and to seed an organization-specific risk taxonomy that can be used as a tool for managing risk on a continuous basis as operating conditions change and evolve. The sources of risk can be both internal and external to the organization.

Categorizing operational risks provides the organization a means from which to perform advanced analysis and mitigation activities that allow for similar types of risks to be effectively neutralized or contained by limited actions by the organization.

Additional References

NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems,” Section 2.4 Application of Risk Assessments.

ISO 28000 First Edition, “Specifications for security management systems for the supply Chain.”

NIST CSF References: ID.BE-1, ID.RA-5, ID.RA-6, ID.SC-1, ID.SC-2, ID.SC-4

Q3

CERT-RMM Reference

[EXD:SG1.SP2] Prioritize External Dependencies

Determine whether the loss of a single supplier will cause unacceptable disruption to critical services. This can be accomplished through affinity analysis. For this type of vendor, allow for service risks by clearly defining requirements and/or applicable mitigations, such as alternate vendors in the event of a failure from the primary vendor.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA12(13) Supply Chain Protection | Critical Information System Components.

Adversaries can attempt to impede organizational operations by disrupting the supply of critical information system components or corrupting supplier operations. Safeguards to ensure adequate supplies of critical information system components include, for example:

(i) the use of multiple suppliers throughout the supply chain for the identified critical components; and (ii) stockpiling of spare components to ensure operation during mission-critical times.

OCC Bulletin 2013-29. Subject: Third-Party Relationships United States Department of the Treasury, October 30, 2013.

Senior management should ensure that periodic independent reviews are conducted on the third-party risk management process, particularly when a bank involves third parties in critical activities. . . .

Reviews may include assessing the adequacy of the bank's process for

  • identifying and managing concentration risks that may arise from relying on a single third party for multiple activities, or from geographic concentration of business due to either direct contracting or subcontracting agreements to the same locations.

ITIL Service Strategy, The Stationery Office, 2011, Best Management Practice. Section 3.7.3, “Multi- vendor Sourcing.”

NIST CSF References: ID.RA-4, ID.RA-5, ID.SC-2, ID.SC-4

Goal 4 – External entities are evaluated.
The purpose of this goal is to assess whether the acquirer evaluates external entities for their ability to meet the critical service's resilience requirements.
1. Are resilience requirements included in written communications with prospective suppliers, for example in requests for proposals (RFPs)?
Alternate
2. Does the acquirer consider the ability of suppliers to meet the resilience requirements of the critical service before entering into formal agreements?
No
3. Does the acquirer identify suppliers from which it requires documented verification of an ability to meet the critical service’s resilience requirements?
N/A
4. Does the acquirer consider external entities’ own external dependency risks before entering into formal agreements to support the critical service?
Yes
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities.

External entities should be selected according to an organized and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the acquirer's specifications, which should be outlined in various work products. These products include requests for proposals, external entity selection criteria, evaluations of each external entity proposal against the selection criteria, and selection decision and supporting rationale documents.

Additional References

[CERT CMMI-ACQ, SSAD: SG1.SP2] Establish a Solicitation Package

Establish and maintain a solicitation package that includes the requirements and proposal evaluation criteria. Solicitation packages are used to seek proposals from potential suppliers. The acquirer structures the solicitation package to facilitate an accurate and complete response from each potential supplier and to enable an effective comparison and evaluation of proposals.

The solicitation package includes a description of the desired form of the response, the relevant statement of work for the supplier, and required provisions in the supplier agreement (e.g., a copy of the standard supplier agreement or non-disclosure provisions). In government acquisitions, some or all of the content and structure of the solicitation package can be defined by regulation.

The solicitation package is rigorous to ensure consistent and comparable responses but flexible enough to allow consideration of supplier suggestions for better ways to satisfy requirements.

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 3.2.5 Complete Procurement.

NIST CSF References: ID.SC-2, ID.SC-3

Q2

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities

External entities should be selected according to an organized and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the organization's specifications.

From a resilience perspective, the selection process for external entities is often an extension of or supplement to the organization's standard procurement processes. Resilience specifications may simply serve as additional requirements for consideration and evaluation as part of the standard procurement process. In all cases, due diligence should be performed on candidate external entities to evaluate their ability to meet the resilience specifications that have been established for the actions they hope to perform for the organization.

Additional References

NIST Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations", SA-12(2) Supply Chain Protection | Supplier Reviews.

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

Supplemental Guidance: Supplier reviews include, for example: (i) analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services; and (ii) assessment of supplier training and experience in developing systems, components, or services with the required security capability. These reviews provide organizations with increased levels of visibility into supplier activities during the system development life cycle to promote more effective supply chain risk management.

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View," 24-26.

NIST CSF References: ID.BE-1, ID.BE-4, ID.SC-3

Q3

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities

Evaluate suppliers based on their abilities to meet the resilience specifications and in accordance with the established selection criteria. Due diligence should be performed on candidate external entities to validate their ability to meet the resilience specifications that have been established for the actions they hope to perform for the acquirer. Any specifications that are not being met by the external entity should be treated as risks and potentially be a factor in eliminating that supplier from consideration as an approved service provider.

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” 46.

A variety of methods may be used to communicate and subsequently verify and monitor ICT SCRM requirements through such vehicles as contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain transactions. These methods include

  • Clearly defining the types of external services provided to the external organization
  • Describing how the external services should be protected in accordance with the federal agency ICT supply chain security requirements; and

Obtaining the necessary verifications that the risk to the organizations' organizational operations and assets, individuals, other organizations, and the Nation arising from the use of the external services is acceptable.

NIST CSF References: ID.SC-2, ID.SC-3

Q4

CERT-RMM Reference

[EXD:SG3.SP3] Evaluate and Select External Entities

External entities should be selected according to an organized and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the organization's specifications.

[EXD:SG3.SP2] Establish Resilience Specifications for External Entities.

Resilience specification should include specific characteristics that are required such as degree of reliance on other external entities.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA12(2) Supply Chain Protection| Supplier Reviews.

Supplier reviews can also help to determine whether primary suppliers have security safeguards in place and practice for vetting subordinate suppliers, for example, second and third-tier suppliers, and any subcontractors

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” Sections 3.3.1 and 3.3.2.

System integrators are those entities that provide customized services to the acquirer including custom development, test, operations, and maintenance. This group usually replies to a request for proposal from an acquirer with a proposal that describes solutions or services that are customized to the acquirer's requirements. Such proposals provided by system integrators can include many layers of suppliers (see Chapter 3.3.2). The system integrator should ensure that those suppliers are vetted and verified with respect to the acquirer's ICT SCRM requirements. Because of the level of visibility that can be obtained in the relationship with the system integrator, the acquirer has the ability to require rigorous supplier acceptance criteria as well as any relevant countermeasures to address identified or potential risks.

Organizations should consider that the costs of doing business with suppliers may be directly impacted by the level of visibility the suppliers allow into how they apply security and supply chain practices to their solutions. When organizations or system integrators require greater levels of transparency from suppliers, they must consider the possible cost implications of such requirements. Suppliers may select to not participate in procurements to avoid increased costs or perceived risks to their intellectual property, limiting an organization's supply or technology choices. The risk to suppliers is the potential for multiple, different sets of requirements that they may have to individually comply with, which may not be scalable.

Board of Governors of the Federal Reserve System, December 5, 2013. “Guidance on Managing Outsourcing Risk,” 4-6.

NIST CSF References: ID.SC-2, ID.SC-3

Goal 5 – Formal agreements include resilience requirements.
The purpose of this goal is to assess whether the acquirer includes appropriate requirements in agreements with external entities where there is some ability to negotiate, such as suppliers.
1. Are resilience requirements for the critical service included in formal agreements with suppliers?
Unanswered
2. Do formal agreements require suppliers to manage their own external dependencies?
Alternate
3. Do formal agreements with suppliers include requirements to report incidents that affect the critical service?
No
4. Do formal agreements require that suppliers manage vulnerabilities that may affect the critical service?
N/A
5. Do formal agreements require that suppliers maintain disruption management plans (incident management, service continuity, etc.)?
Yes
6. Do formal agreements with suppliers that support the critical service require their participation in disruption management planning and exercising?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG3.SP4] Formalize Relationships

Agreements are often composed from multiple sections or multiple documents, each of which describes some aspect of the arrangement and agreement. In all cases, the agreement, regardless of form, should:

  • be enforceable by the organization
  • include detailed and complete specifications that must be met by the external entity (see EXD:SG3.SP1 and EXD:SG3.SP2)
  • include any required performance standards or work products from the organization
  • be changed to reflect changes in specifications over the life of the relationship

Subpractices:

  1. Select an agreement type that best fits the performance standards required by the organization and that is enforceable if problems arise.
  2. Properly document the agreement terms, conditions, specifications and other provisions. All agreement provisions should be documented in the agreement in language that is unambiguous.

The agreement should not contain any general exceptions for achieving the resilience specifications unless they are carefully considered and negotiated. It may, however, contain scenarios of types of unforeseen events for which the external entity is not expected to prepare. Any exceptions granted to resilience specifications or scenarios for which the external entity is not required to prepare should be treated as risks under EXD:SG2.

All agreements should establish and enable procedures for monitoring the performance of external entities and inspecting the services or products they deliver to the organization.

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” Section 1.5 Foundational Practices.

Foundational practices are described in NIST standards and guidelines as well as other applicable national and international standards and best practices. They include: ensuring that organizations understand the cost and scheduling constraints of implementing ICT SCRM; integrating information security requirements into the acquisition process; using applicable baseline security controls as one of the sources for security requirements.

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships,” Section 6.1 Agreement Processes.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” Section 5.5 ICT Supply Chain Considerations.

NIST CSF References: ID.BE-1, ID.SC-3, PR.AT-3

Q2

CERT-RMM References

[EXD:SG3.SP4] Formalize Relationships

Formal agreements should be established with external entities. The agreement content may take different forms depending on subcontracting provisions - The external entity's rights and ability to subcontract their obligations under the agreement to others should be included.

[EXD:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the external dependencies management process, developing the work products, and providing the services of the process.

Those responsible for services and assets are involved in identifying and prioritizing external dependencies and establishing resilience specifications that external entities must fulfill. Formal agreements identify external entity actions, including ensuring continuity of operations during times of stress.

Subpractices:

1. Assign responsibility and authority for performing the process.

The organization must ensure that responsibility and authority extends to all external entities and to any entities with whom the external entity has contracted to provide services or products in support of the external entity's formal agreement with the organization.

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” Sections 3.3.1 and 3.3.2.

System integrators are those entities that provide customized services to the acquirer including custom development, test, operations, and maintenance. Because of the level of visibility that can be obtained in the relationship with the system integrator, the acquirer has the ability to require rigorous supplier acceptance criteria as well as any relevant countermeasures to address identified or potential risks.

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems”, Section 4.7.1 Acquirer - Programmatic Activities.

  1. Require the integrator to monitor supplier activities, with notification to supplier, to detect and assess threats or attempts to gain, or exploit exposure of, access to elements, supply chain processes, or supply chain actors.
  2. Require that reviewers are qualified to identify weaknesses and vulnerabilities in the supply chain or integrator SCRM processes and procedures.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” 5.3 Information Security Risks in Supplier Relationships and Associated Threats.

NIST CSF References: ID.SC-3

Q3

CERT-RMM References

[EXD:SG3.SP4] Formalize Relationships

Supplier agreement should define obligations of the external entity to protect the acquirer's assets and report material incidents that have the potential to impact those assets. Those obligations should include requirements for the notification of the acquirer in the event of disruptions and security incidents such as breaches and disclosures.

[IMC:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the incident management and control process, developing the work products, and providing the services of the process.

Specific practice IMC:SG1.SP1 indicates that the incident management plan should define the roles and responsibilities necessary to carry out the plan, as well as documenting commitments from those responsible.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations", SA-12(12) | Inter-Organizational Agreements, SA-12(13) Supply Chain Protection | Critical Information System Components.

The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.

Supplemental Guidance: The establishment of inter-organizational agreements and procedures provides for notification of supply chain compromises. Early notification of supply chain compromises that can potentially adversely affect or have adversely affected organizational information systems, including critical system components, is essential for organizations to provide appropriate responses to such incidents.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” Section 2.5 Foundational Practices.

NIST CSF References: ID.SC-3

Q4

CERT-RMM References

[EXD:SG3.SP2] Establish Resilience Specifications for External Dependencies

Consider the following topics when establishing required behaviors and standards of performance for external dependencies and entities:

  • security, including incident management procedures and performance, vulnerability and penetration management, logical and physical access controls, identity management, and security standards compliance.

[VAR:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the specific tasks of the process, including by

  • developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions.

Additional References

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” 5.5 ICT Supply Chain Considerations, 5.3 Information Security Risks in Supplier Relationships and Associated Threats.

NIST CSF References: ID.SC-3

Q5

CERT-RMM References

[IMC:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the incident management and control process, developing the work products, and providing the services of the process.

Subpractices

  1. Assign responsibility and authority for performing the process.
  2. Assign responsibility and authority for performing the specific tasks of the process such as: developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions, assets, and services.

[SC:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the service continuity process, developing the work products, and providing the services of the process.

Subpractices

1. Assign responsibility and authority for performing the process.

2. Assign responsibility and authority for performing the specific tasks of the process, such as: developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions.

Additional References

ISO 22301 First Edition, “Societal Security - Business continuity management systems - Requirements.”

NIST CSF References: ID.SC-3

Q6

CERT-RMM References

[IMC:GG2.GP7] Identify and Involve Relevant Stakeholders

Assign responsibility and authority for performing the incident management and control process, developing the work products, and providing the services of the process.

Stakeholders (including external entities) may be involved in various tasks in the incident management and control process, such as

  • detecting events and incidents
  • planning for incident handling, management, and response
  • making commitments to process plans and activities
  • collecting, documenting, and preserving event and incident evidence
  • analyzing events and incidents
  • declaring incidents
  • responding to incidents, including participating on incident response teams
  • communicating events and incidents and the status of incidents as they move through the incident life cycle
  • escalating incidents
  • coordinating process activities
  • reviewing and appraising the effectiveness of process activities
  • performing post-incident review and improvement processes

[SC:GG2.GP4] Assign Responsibility

Assign responsibility and authority for performing the service continuity process, developing the work products, and providing the services of the process.

Subpractices

  1. Assign responsibility and authority for performing the process.
  2. Assign responsibility and authority for performing the specific tasks of the process, such as: developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, CP-4 Contingency Plan Testing.

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

Supplemental Guidance: Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements. Related controls: IR-8, PM-8.

Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning IT Examination Handbook, Testing Strategies, 16.

The testing policy should include enterprise-wide testing strategies that establish expectations for individual business lines. Business lines include all internal and external supporting functions, such as IT and facilities management. The testing strategy should include the following:

  • Expectations for business lines and support functions to demonstrate the achievement of business continuity test objectives consistent with the BIA and risk assessment;
  • Expectations for testing internal and external interdependencies; and

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5.5. “Sourcing Structures,” 219-220.

NIST CSF References: ID.SC-3, ID.SC-5

Goal 6 – Technology asset supply chain risks are managed.
The purpose of this goal is to assess whether the acquirer institutes controls over risks posed by deploying technology internally. These risks may include, for example, counterfeit, maliciously tainted, or vulnerable technology products.
1. Does the acquirer identify and document the resilience requirements for technology assets that support the critical service?
Alternate
2. Does the acquirer evaluate technology assets that support the critical service for vulnerabilities before they are acquired?
No
3. Has the acquirer identified the criteria or standards required for technology suppliers to be considered trusted?
N/A
4. Has the acquirer identified trusted suppliers from which it obtains technology assets that support the critical service?
Yes
5. Does the acquirer formally evaluate the need to conduct acceptance testing for technology assets that support the critical service and conduct such testing (if appropriate)?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM Reference

[TM:SG2.SP1] Assign Resilience Requirements to Technology Assets

Resilience requirements that have been defined are assigned to technology assets.

Resilience requirements form the basis for the actions that the organization takes to protect and sustain technology assets. These requirements are established commensurate with the value of the asset to services that it supports. The resilience requirements for technology assets must be assigned to the assets so that the appropriate type and level of protective controls can be designed, implemented, and monitored to meet the requirements.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 3.2.3 Define/Develop Requirements.

The acquirer mission/business owner or their designee, with assistance from the procurement official and other members of the SCRM team, if applicable, should define and document requirements for the procurement. During this process, mission, functionality, quality, and security requirements should be developed and documented. This process will identify the requirements for the procurement and how these requirements will apply to the specific items of supply (elements and processes).

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View,” 24-26.

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships,” Requirements Introduction.

NIST CSF References: ID.BE-5

Q2

CERT-RMM References

[VAR: SG2.SP2] Discover vulnerabilities

Data collection should be coordinated to discover vulnerabilities and populate the vulnerability repository as efficiently as possible.

[VAR: SG3.SP1] Manage Exposure to Vulnerabilities

Develop a vulnerability management strategy for all vulnerabilities that require resolution. The strategy should address the actions that the organization will take to reduce or eliminate exposure or to provide an operational workaround if preferable. This includes ensuring that relevant stakeholders are informed of resolution activities.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(2) Supply Chain Protection | Supplier Reviews.

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

Supplemental Guidance: Supplier reviews include, for example: (i) analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services; and (ii) assessment of supplier training and experience in developing systems, components, or services with the required security capability. These reviews provide organizations with increased levels of visibility into supplier activities during the system development life cycle to promote more effective supply chain risk management. Supplier reviews can also help to determine whether primary suppliers have security safeguards in place and a practice for vetting subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractors.

Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls.

NIST Special Publication 800-40 Version 3.0, “Creating a Patch Management and Vulnerability Management Program.” 2.3.2 Monitoring Vulnerabilities, Remediations, and Threats, 7.

Vendors are the authoritative source of information for patches related to their products. However, many vendors will not announce vulnerabilities in their products until patches are available; accordingly, monitoring third-party vulnerability resources as well is recommended.

ISO 27036-3, “Information technology - Security techniques - Information Security for Supplier Relationships” Part 3, 6.

NIST CSF References: ID.BE-4, ID.RA-1

Q3

CERT-RMM Reference

[EXD:SG3.SP1] Establish Enterprise Specifications for External Dependencies

Enterprise specifications that apply in general to external entities are established and maintained.

The organization has a set of values and behaviors that it follows when carrying out its operation. These values and behaviors may be derived to support the organization's strategy or designed to create or reinforce the organization's public image. They may also be a reflection of the organization's market sector or the function of regulations or other constraints to which the organization must comply.

Regardless of the source, the organization's values and behaviors should be reflected in high-level organizational policies that govern the behavior of staff and external entities whenever they are representing or performing services for the organization.

[EXD:SG3.SP3] Evaluate and Select External Entities

The ability for an external organization to predictably meet specifications.

The specifics of establishing and maintaining trust can differ from organization to organization based on mission/business requirements, the participants involved in the trust relationship, the criticality/sensitivity of the information being shared or the types of services being rendered, the history between the organizations, and the overall risk to the organizations participating in the relationship.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations", SA-13 Trustworthiness.

  • Describes the trustworthiness required in the information system, information system component, or information system service supporting its critical missions/ business functions;

Supplemental Guidance: This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success.

Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application).

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View,” 24-26.

ISO 20243, "Information Technology -- Open Trusted Technology Provider Standard (O- TTPS) -- Mitigating maliciously tainted and counterfeit products," 1.2 Overview.

The Open Trusted Technology Provider Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer.

Trusted Technology Providers manage their product life cycle, including their extended supply chains, through the application of defined, monitored, and validated best practices. The product's integrity is strengthened when providers and suppliers follow (. . .) requirements and recommendations (that have been) taken from the experience of mature industry providers, rigorously reviewed (. . .), and established as requirements and recommendations . . .

The Open Trusted Technology Provider Standard is available for download at: www.opengroup.org

NIST CSF References: ID.SC-2

Q4

CERT-RMM References

[TM:SG3.SP2] Mitigate Technology Risk

Risk mitigation strategies for technology assets are developed and implemented.

The mitigation of technology asset risk involves the development of strategies that seek to minimize the risk to an acceptable level. This includes reducing the likelihood of risks to technology assets, minimizing exposure to these risks

[TM:GG2.GP2] Plan the Technology Management Process

Establish and maintain the plan for performing the technology management process.

A plan for performing the technology management process is created to preserve the integrity of technology assets and to ensure that technology assets remain available and viable to support organizational services. The plan must address the resilience requirements of the technology assets, dependencies of services on these assets, and consideration of multiple asset owners and custodians at various levels of the organization.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, Section 2.5 External Suppliers.

The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in external service providers. In some cases, the level of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is usually established by the terms and conditions of the contracts or service- level agreements with the external service providers and can range from extensive control (e.g., negotiating contracts or agreements that specify detailed security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity services such as commercial telecommunications services).

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-13 Trustworthiness.

  • Describes the trustworthiness required in the information system, information system component, or information system service] supporting its critical missions/ business functions;

Supplemental Guidance: This control helps organizations to make explicit trustworthiness decisions when designing, developing, and implementing information systems that are needed to conduct critical organizational missions/business functions. Trustworthiness is a characteristic/property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information it processes, stores, or transmits. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Trustworthy systems are important to mission/business success.

Two factors affecting the trustworthiness of information systems include: (i) security functionality (i.e., the security features, functions, and/or mechanisms employed within the system and its environment of operation); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application).

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View,” 24-26.

ISO 20243, "Information Technology -- Open Trusted Technology Provider Standard (O- TTPS) -- Mitigating maliciously tainted and counterfeit products," 1.2 Overview.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” 5.1 Business case for ICT Supply Chain Security.

NIST CSF References: ID.SC-2

Q5

CERT-RMM Reference

[TM:SG2.SP2] Establish and Implement Controls

Administrative, technical, and physical controls that are required to meet the established resilience requirements are identified and implemented.

The organization must implement an internal control system that protects the continued operation of technology assets commensurate with their role in supporting organizational services. Controls are essentially the methods, policies, and procedures that the organization uses to provide an acceptable level of protection over high-value technology assets. Controls typically fall into three categories: administrative (or managerial), technical, and physical. All of these controls are necessary for technology assets because they come in so many different forms and are pervasive across the organization.

Subpractices include: Establish and specify controls over the design, construction, or acquisition of technology assets. These controls ensure that the development and acquisition of software and systems or the development and acquisition of hardware is performed with consideration of the operational resilience of these assets.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(10) Supply Chain Protection | Validate as Genuine and Not Altered.

The organization employs security safeguards to validate that the information system or system component received is genuine and has not been altered.

Supplemental Guidance: For some information system components, especially hardware, there are technical means to help determine if the components are genuine or have been altered.

Security safeguards used to validate the authenticity of information systems and information system components include, for example, optical/nanotechnology tagging and side-channel analysis. For hardware, detailed bill of material information can highlight the elements with embedded logic complete with component and production location.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations,” Sections 3.3.1 and 3.3.2.

System integrators are those entities that provide customized services to the acquirer including custom development, test, operations, and maintenance. This group usually replies to a request for proposal from an acquirer with a proposal that describes solution or services that are customized to the acquirer's requirements. Such proposals provided by system integrators can include many layers of suppliers (see Chapter 3.3.2). The system integrator should ensure that those suppliers are vetted and verified with respect to the acquirer's ICT SCRM requirements. Because of the level of visibility that can be obtained in the relationship with the system integrator, the acquirer has the ability to require rigorous supplier acceptance criteria as well as any relevant countermeasures to address identified or potential risks.

NIST Special Publication 800-39, “Managing Information Security Risk Acquirer, Mission, and Information System View,” 24-26.

NIST CSF References: ID.SC-2, PR.IP-2

Remarks - Relationship Formation - MIL-1

No remarks have been entered

Relationship Management and Governance - MIL-1

Goal 1
Q1
S
IP
GS
Q2
Q3
Goal 2
Q1
Q2
Q3
Q4
Q5
Q6
Goal 3
Q1
Q2
Q3
Q4
Goal 4
Q1
I
T
F
P
Q2
I
T
F
P
Q3
Q4
Q5
Goal 5
Q1
Q2
Q3
Goal 6
Q1
Q2
Q3
Q4
Q5
Goal 7
Q1
Q2
Q3
I
T
F
Q4
I
T
F

The purpose of Relationship Management and Governance is to assess whether the acquirer manages ongoing relationships to maintain the resilience of the critical service, and mitigate dependency risk. This includes identifying the external entities that support the critical service, ongoing risk management, communicating with external entities about key aspects of protecting the critical service, and controlling external entities' access to the acquirer.

Goal 1 – External dependencies are identified and prioritized.
The purpose of this goal is to assess whether the acquirer identifies the external entities that it depends on to support the critical service and prioritizes them in order to make decisions about managing these dependencies.
1. Are dependencies on external entities that are critical to the service(s) identified?
1.1 Suppliers
No
1.2 Infrastructure providers
N/A
1.3 Governmental services
Yes
2. Are external dependencies prioritized?
Unanswered
3. Has a process been established for maintaining a list of external dependencies and related information?
Alternate
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG1.SP1] Identify External Dependencies

It is important for the organization to identify and characterize external dependencies so that they can be understood, formalized, monitored, and managed as part of the organization's comprehensive risk management process.

The organization's list of services should be examined to discover services that may be subject to external dependencies, in whole or in part. The organization's inventory of assets should also be examined to discover assets that are under the control of external entities or are in other ways subject to external dependencies. The organization may find value and efficiency in establishing close service links or overlap to facilitate information sharing between the external dependencies list, the services listing, and the asset inventory. The organization's customer database and supplier database may also be valuable sources of insight when establishing the catalog of external dependencies. The organization's set of current supplier and vendor contracts and related service level agreements (SLAs) are additional sources.

When the organization is establishing the catalog of external dependencies, its customer database and supplier database may also be valuable sources of insight. The organization's set of current supplier and vendor contracts and related service level agreements (SLAs) are additional sources.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.1, Uniquely Identify Supply Chain Elements, Processes, and Actors.

Knowing who and what is in an enterprise's supply chain is critical to gaining visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, e.g., elements, processes, and actors, it is impossible to understand and therefore manage risk, and to reduce the likelihood of an adverse event.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 2-0 Criticality Analysis.

Update Criticality Analysis of mission-critical functions, systems, and components to narrow the scope (and resources) for ICT SCRM activities to those most important to mission success.

Criticality analysis should include the ICT supply chain infrastructure for both the organization and applicable system integrators, suppliers, external service providers, and the systems/components/ services. Criticality analysis assesses the direct impact they each have on the mission priorities.

In addition to updating and tailoring Baseline Criticality, performing criticality analysis in the Assess Step may include the following:

  • Obtain and review existing information that the agency has about critical ICT systems/ components, such as locations where they are manufactured or developed, physical and logical delivery paths, information flows and financial transactions associated with these components, and any other available information that can provide insights into ICT supply chain of these components

Additional Reference

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. 4.8.7 “Information Management,” 224.

NIST CSF References: ID.BE-4, ID.SC-2

Q2

CERT-RMM Reference

[EXD:SG1.SP2] Prioritize External Dependencies

Apply the acquirer's prioritization criteria to the list of external dependencies to produce a prioritized list. Depending on the prioritization scheme developed by an organization, the result might be several lists, tiers, or sets of external dependencies. Be sure that external dependencies that are required for the successful execution of security activities, service continuity plans, and service restoration plans are prioritized appropriately.

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 2.2.1 Frame.

As a part of identifying ICT supply chain Risk Assumptions within the broader Risk Management process (described in NIST SP 800-39), agencies should do the following:

  • Define ICT SCRM mission, business, and system-level requirements;
  • Identify which mission functions and related components are critical to the organization, including FIPS 199 impact level, to determine the baseline criticality;

NIST CSF References: ID.BE-4, ID.SC-2

Q3

CERT-RMM Reference

[EXD:SG1.SP1] Identify External Dependencies

The organization may use any number of techniques to establish a catalog or detailed list of external dependencies.

The purpose of the catalog of external dependencies is to support the identification and prioritization of external dependencies and the management of risks associated with selected dependencies.

The organization's external dependencies will change over time as a result of changes to relationships with essential suppliers and customers, changes in services, the life cycle of assets, and many other reasons. Once the list of external dependencies is established, it is important that it be maintained. A process for updating the list on a regular basis should be established.

Additional References

NIST CSF References: ID.BE-4, ID.SC-2

Goal 2 – Supplier risk management is continuous.
The purpose of this goal is to assess whether the acquirer continuously manages the risks of relying on suppliers to support the critical service.
1. Does the acquirer periodically review and update resilience requirements for suppliers?
No
2. Does the acquirer periodically review risks due to suppliers?
N/A
3. Does the acquirer periodically discuss and review risks with suppliers?
Yes
4. Does the acquirer conduct periodic reviews with suppliers to verify that vulnerabilities relevant to the critical service are continuously managed?
Unanswered
5. Does the acquirer’s risk monitoring include critical service resilience requirements not codified in supplier agreements?
Alternate
6. Does the acquirer’s risk monitoring include supplier performance issues and concerns?
No
Option(s) for Consideration
Q1

CERT-RMM References

[RRM:SG1.SP3] Manage Resilience Requirements Changes. Changes to resilience requirements are managed as conditions dictate.

The conditions under which organizations operate are continually changing. As a result, the risk environment for services and associated assets continues to evolve as well. An organization must become very adept at recognizing changes in conditions that (dictate or may require) changes in asset resilience requirements.

Managing changes to requirements involves consideration of several distinct activities:

  • identifying change triggers and criteria including: changes that result in outsourcing services and assets or in changing current external entity relationships

[EXD:SG3.SP2] Establish Resilience Specifications for External Dependencies

Periodically review and update resilience specifications for external dependencies and entities as conditions warrant.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 3.2.1 Operational Contract Execution.

Once a system becomes operational, the operating environment may change. Changes involve, but are not limited to, suppliers, elements, delivery processes, and business processes. These changes may alter, add, or reduce ICT supply chain risks. During operations, acquirers should continue to perform ICT SCRM, including the assessment of foundational enterprise practices. The acquirer will need to ensure that the integrator or supplier understands supply chain risk and provides information on applicable changes to the elements, environment, vulnerabilities, and patches on an ongoing basis. The following activities will help the acquirer maintain supply chain oversight and improve processes for future procurements:

Monitor and periodically (or continuously if appropriate) reevaluate changes in the risk environment that impact the supply chain including technology innovation, operational environment, regulatory environment, etc. Respond to change where appropriate through modifying ICT SCRM requirements.

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships, ” 7.4.3 Supplier relationship agreement process - Activities.

ISO 27036-3, “IT-Security Techniques-Information Security for Supplier Relationships,” 6.4.2e.

NIST CSF: References: ID.BE-1, ID.BE-5, ID.SC-3

Q2

CERT-RMM Reference

[EXD:SG2.SP1] Identify and Assess Risks Due to External Dependencies

Risks associated with external dependencies are periodically identified and assessed.

Risks due to external dependencies must be identified and assessed so that they can be effectively managed to maintain the resilience of the organization's high-value services.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.1, Uniquely Identify Supply Chain Elements, Processes, and Actors.

Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into supply chain, e.g., elements, processes, and actors, it is impossible to understand and therefore manage risk, and to reduce the likelihood of an adverse event.

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5.4, “Establishment of New Suppliers and Contracts,” 218-219.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” 5.3 Information Security Risks in Supplier Relationships and Associated Threats.

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships,” Section 6.3.4 Risk Management Process.

NIST CSF References: ID.SC-1, ID.SC-4

Q3

CERT-RMM References

[EXD:GG2.GP7] Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the external dependencies management process as planned.

Identify process stakeholders and their appropriate involvement. Because external entities may reside in a wide range of physical locations and provide and support numerous processes, services, and assets, a substantial number of stakeholders are likely to be external to the organization.

These are examples of stakeholders of the plan for the external dependencies management process:

  • internal and external owners and custodians of organizational assets
  • internal and external service owners
  • organizational unit and line of business managers responsible for high-value assets and the services they support
  • staff responsible for managing operational risks arising from external dependencies and relationships with external entities
  • staff responsible for establishing, implementing, and maintaining an internal controls system for organizational assets, where an external entity is involved
  • staff required to develop, test, implement, and execute service continuity plans that involve external dependencies and external entities
  • acquisition and procurement staff
  • internal and external auditors

[RISK:GG2.GP8] Monitor and Control the Process

Monitor and control the risk management process against the plan for performing the process and take appropriate corrective action.

Additional References

NIST Special Publication 800-161, ”Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section AC-21 Collaboration and Information Sharing.

Sharing information within the ICT supply chain can help to manage ICT supply chain risks. This information may include vulnerabilities, threats, criticality of systems and components, or delivery information. This information sharing should be carefully managed to ensure that the information is accessible only to authorized individuals within the organization's ICT supply chain.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships”, 5.3 Information Security Risks in Supplier Relationships and Associated Threats.

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5.4, “Establishment of New Suppliers and Contracts,” 218-219.

NIST CSF References: ID.SC-2, ID.SC-4

Q4

CERT-RMM References

[VAR GG2.GP7] Identify and Involve Relevant Stakeholders

Identify process stakeholders and their appropriate involvement. These are examples of stakeholders of the vulnerability analysis and resolution process:

  • higher level managers responsible for establishing organizational risk criteria and tolerances
  • staff responsible for the organization's risk management plan
  • asset owners, custodians, and users
  • staff responsible for managing operational risks to assets
  • staff responsible for establishing, implementing, and maintaining an internal control system for assets
  • staff responsible for developing, testing, implementing, and executing service continuity plans
  • external entities responsible for managing high-value assets and providing essential services
  • internet service providers
  • legal counsel
  • information technology staff, such as system administrators and CSIRTs
  • staff responsible for physical security (for facility assets)
  • owners of operational resilience management processes, including risk management, incident management and control, and service continuity

[VAR GG2.GP8] Monitor and Control the Process

Monitor and control the process against the plan for performing the process and take appropriate corrective action. The process should include high-value information, technology, and facilities assets (including assets owned and managed by external entities as well as internally).

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management for Federal Information Systems,”4.7 Perform Continuous Integrator Review.

Continuous integrator review is an essential practice used to ascertain that defensive measures have been deployed. It includes testing, monitoring, auditing, assessments, and any other means by which the acquirer observes integrator practices. The purpose of continuous integrator review is to validate compliance with requirements, ascertain that the system behaves in a predictable manner under stress, and detect and classify weaknesses and vulnerabilities of elements, processes, systems, and any associated metadata.

NIST CSF References: ID.RA-1, ID.SC-4, PR.IP-12, DE.CM-8, RS.AN-5, RS.MI-3

Q5

CERT-RMM References

[RISK:SG5.SP2] Implement Risk Strategies

Risk strategies and mitigation plans are implemented and monitored.

[EXD:SG3.SP3] Evaluate and Select External Entities.

In some cases, external entities cannot be selected from a pool of candidates; they may be inherited in the course of an acquisition or merger, or they may be the only provider of a high-value service on which the organization depends (this is often the case for public services). In cases in which external entities cannot be selected, the due diligence process for selection should still be performed to identify any specifications that are not met by the external entity. It may be appropriate to alter the specifications by changing the actions or nature of the dependence on the external entity to resolve the unmet specifications. In cases where the specifications cannot be changed, any unmet specifications should be treated as risks.

Additional References

NIST CSF References: ID.RM-1, ID.SC-1, ID.SC-2, ID.SC-4

Q6

CERT-RMM References

[RISK:SG5.SP2] Implement Risk Strategies

Risk strategies and mitigation plans are implemented and monitored.

Effective management and control of risk requires the organization to monitor risk and the status of risk strategies. Because the operational environment is constantly changing, risks identified and addressed may need to be revisited, and a new disposition and strategy may need to be developed.

[EXD:SG4.SP1] Monitor External Entity Performance

The performance of external entity relationship management and governance is monitored against agreement terms and specifications. Utilization of a repository to store external dependency information facilitates the management of the overall external dependencies management program and the relationship management and governance process, in particular.

Typical work products

  1. Monitoring of reports on external entities
  2. Relationship management databases showing current performance monitoring information
  3. Inspection reports on external entity deliverables

Subpractices

1. Establish procedures and responsibility for monitoring external entity performance and inspecting any external entity deliverables. Procedures should be consistent with the agreement between the organization and the external entity and should be based on verifying that the external entity is achieving the specifications as defined in the agreement.

2. Meet periodically with external entity representatives to review the result of monitoring activities, the specifications in the agreement, and any changes in either the organization or the external entity that might impact performance

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(11) Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors.

The organization employs . . . organizational analysis, independent third- party analysis, organizational penetration testing, independent third-party penetration testing of supply chain elements, processes, and actors associated with the information system, system component, or information system service.

Supplemental Guidance: This control enhancement addresses analysis and/or testing of the supply chain, not just delivered items. Supply chain elements are information technology products or product components that contain programmable logic and that are critically important to information system functions. Supply chain processes include, for example: (i) hardware, software, and firmware development processes; (ii) shipping/ handling procedures; (iii) personnel and physical security programs; (iv) configuration management tools/measures to maintain provenance; or (v) any other programs, processes, or procedures associated with the production/distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.”

NIST CSF References: ID.RM-1, ID.SC-1, ID.SC-2, ID.SC-4

Goal 3 – Supplier performance is governed and managed.
The purpose of this goal is to assess whether the acquirer manages the performance of suppliers in supporting the resilience of the critical service.
1. Does the acquirer monitor the performance of suppliers against resilience requirements?
Unanswered
2. Are issues with supplier performance documented and reported to appropriate stakeholders?
Alternate
3. Does the acquirer take corrective actions as necessary to address issues with supplier performance?
No
4. Are corrective actions evaluated to ensure issues are remedied?
N/A
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG4.SP1] Monitor External Entity Performance

The performance of external entities is monitored against resilience requirements and agreement terms and specifications. Using an information repository to store external entity information facilitates management of external entity performance and requirements.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.7 Perform Continuous Integrator Review.

Acquirers should use the continuous integrator review to help determine if integrators are fulfilling the requirements defined in the agreement and whether any remedial actions are required based on the environment and use.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.3 Implement a Continuous Monitoring Program.

NIST CSF References: ID.SC-4, PR.IP-5, DE.CM-6

Q2

CERT-RMM References

[EXD:GG2.GP7] Identify and Involve Relevant Stakeholders.

Identify and involve the relevant stakeholders of the external dependencies management process as planned.

Subpractices

  1. Identify process stakeholders and their appropriate involvement.
  2. Communicate the list of stakeholders to planners and those responsible for performance of the process.
  3. Involve relevant stakeholders in the process as planned.

[EXD:SG4.SP1] Monitor External Entity Performance

To ensure that performance monitoring is performed on a timely and consistent basis, the organization should establish procedures that determine the frequency, protocol, and responsibility for monitoring a particular external entity. (Responsibility is typically assigned to the organizational owner of the relationship.) These procedures should be consistent with the terms of the agreement with the external entity. It may be appropriate to adjust the monitoring frequency in response to changes in the risk environment, changes to external dependencies, or changes in the external entity.

Typical work products

  1. Monitoring of reports on external entities
  2. Relationship management databases showing current performance monitoring information
  3. Inspection reports on external entity deliverables

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 3 TASK 3-2: Evaluate Alternative Courses of Action for Responding to Risk.

To tailor a set of ICT SCRM controls, the organization should perform ICT SCRM and mission-level trade-off analysis to achieve appropriate balance among ICT SCRM and functionality needs of the organization. This analysis will result in a set of cost-effective ICT SCRM controls that is dynamically updated to ensure that mission-related considerations trigger updates to ICT SCRM controls.

During this evaluation, applicable requirements and constraints are reviewed with the stakeholders to ensure that ICT SCRM controls appropriately balance ICT SCRM and the broader organizational requirements, such as cost, schedule, performance, policy, and compliance.

NIST CSF References: ID.SC-1, ID.SC-4

Q3

CERT-RMM Reference

[EXD:SG4.SP2] Correct External Entity Performance

The agreement should be reviewed to identify appropriate and allowable corrective actions for consideration. The various alternatives should be evaluated based on their likelihood to succeed in correcting the situation and mitigating any associated risks. It may be valuable and appropriate to include the external entity in the discussion and consideration of alternatives, especially if both the organization and the external entity desire to continue the relationship.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.1.6 Acquirer - Verification and Validation Activities.

Perform audits on unique . . . deficiencies within acquirer system/environment and report up the supply chain for corrective action.

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(15) Supply Chain Protection | Processes to Address Weaknesses or Deficiencies.

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

Supplemental Guidance: Evidence generated during independent or organizational assessments of supply chain elements (e.g., penetration testing, audits, verification/ validation activities) is documented and used in follow-on processes implemented by organizations to respond to the risks related to the identified weaknesses and deficiencies. Supply chain elements include, for example, supplier development processes and supplier distribution systems.

ISO 27036-2,“IT-Security Techniques-Information Security for Supplier Relationships,” 7.4.3 Activities.

NIST CSF References: ID.SC-4

Q4

CERT-RMM Reference

[EXD:SG4.SP2] Correct External Entity Performance

Implementing corrective actions is a necessary part of managing external entity performance. The objective of any corrective action is to minimize the disruption to the organization's operation or the risk of any such disruption based on external dependencies. The range of corrective actions should be established in the agreement with the external entity, and an evaluation of alternatives should be completed prior to implementing corrective actions.

Corrective actions should be documented in accordance with specifications in the agreement and used to inform and improve ongoing monitoring of the external entity.

Typical work products

  • Corrective action reports or documentation
  • Correspondence with an external entity documenting corrective actions

Subpractices

  1. Evaluate alternative corrective actions to select the optimal corrective action.
  2. The agreement should be reviewed to identify appropriate and allowable corrective actions for consideration. The various alternatives should be evaluated based on their likelihood to succeed in correcting the situation and mitigating any associated risks.
  3. It may be valuable and appropriate to include the external entity in the discussion and consideration of alternatives, especially if both the organization and the external entity desire to continue the relationship.
  4. Communicate with the external entity to review selected corrective actions.
  5. Communication provisions in the agreement should be followed to formalize the communication.
  6. Implement selected corrective actions.
  7. Monitor as appropriate to ensure that issues are remedied in a timely manner.
  8. Update the agreement with the external entity as required.

Additional References

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.5 Respond to Findings.

Response strategies may be implemented over a period of time, documenting implementation plans in the system's Plan of Action and Milestones (POA&M). As weaknesses are found, response actions are evaluated and any mitigation actions are conducted immediately or are added to the POA&M. Other key system documents are updated accordingly. Security controls that are modified, enhanced, or added as part of the response step of the continuous monitoring process are assessed to ensure that the new or revised controls are effective in their implementations. Going forward, new or revised controls are included in the overall continuous monitoring strategy.

NIST Special Publication 800-55, “Performance Measurement Guide for Information Security.”

NIST CSF References: ID.SC-4

Goal 4 – Change and capacity management are applied to external dependencies.
The purpose of this goal is to assess whether the acquirer coordinates change and capacity management with external entities tha support the critical service.A key part of this capability is the acquirer 's own, internal change management process.
1. Does the acquirer have a change management process to manage modifications to its own assets that support the critical service?
1.1 Information
Unanswered
1.2 Technology
Alternate
1.3 Facilities
No
1.4 People
N/A
2. Are changes to assets that support the critical service (whether located at the acquirer or at suppliers) coordinated between the acquirer and suppliers?
2.1 Information
Unanswered
2.2 Technology
Alternate
2.3 Facilities
No
2.4 People
N/A
3. Is there a process to monitor contract renegotiations, updates, addendums, and similar changes to identify and manage any impacts to the critical service?
Yes
4. Does the acquirer monitor for organizational changes at external entities - for example buy-outs, financial problems, political or civil problems - that may affect the critical service?
Unanswered
5. Does the acquirer manage the capacity of services and assets cooperatively with suppliers?
Alternate
Option(s) for Consideration
Q1

CERT-RMM Reference

[ADM:SG3.SP2] Manage Changes to Assets and Inventory

Organizational and operational conditions are continually changing. These changes result in daily changes to the high-value assets that help the organization's services achieve their missions. For example, the following are common organizational events that would affect high-value assets:

  • staff changes, including the addition of new staff members (either internally or externally), the transfer of existing staff members from one organizational unit to another, and the termination of staff members
  • changes to information such as the creation, alteration, or deletion of paper and electronic records, files, and databases
  • technology refresh, such as the addition of new technical components, changes to existing technical components, and the elimination or retirement of existing technology
  • facilities changes, such as the addition of new facilities (whether owned by the organization or an external business partner), alteration of existing facilities, and the retirement of a facility

Besides the addition of new assets, this practice also addresses changes to the description or composition of an asset. For example, if an asset takes an additional form (such as when a paper asset is imaged or an electronic asset is printed), this must be documented as part of the asset description to ensure that current protection and sustainment strategies align properly and provide coverage across a range of asset media. Assets may also change ownership, custodianship, location, or value --all of which must be updated to ensure a current asset profile and inventory.

In addition, whenever assets are eliminated (for example, a server is retired or vital staff members leave the organization), owners of those assets must ensure that their resilience requirements are either eliminated (if possible) or are transferred and updated to the assets that replace them. Doing this is especially critical when assets are shared between services and have common resilience requirements.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, CM-3 Configuration Change Control

  1. Determines the types of changes to the information system that are configuration- controlled;
  2. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
  3. Documents configuration change decisions associated with the information system;
  4. Implements approved configuration-controlled changes to the information system;
  5. Retains records of configuration-controlled changes to the information system
  6. Audits and reviews activities associated with configuration-controlled changes to the information system; and
  7. Coordinates and provides oversight for configuration change control activities

ITIL Service Transition, The Stationery Office, 2011, Best Management Practice. Section 4.2, “Change Management.”

NIST CSF References: PR.IP

Q2

CERT-RMM Reference

[ADM:GG2.GP7] Involve Relevant Stakeholders

Changes to assets are managed as conditions dictate. Organizational and operational conditions are continually changing. These changes result in daily changes to the high-value assets that help the organization's services achieve their missions.

Subpractices

1. Identify process stakeholders and their appropriate involvement. Elaboration:

These are examples of stakeholders of the asset definition and management process:

  • asset owners and custodians
  • service owners
  • organizational unit and line of business managers responsible for high-value assets and the services they support
  • staff responsible for establishing, implementing, and maintaining an internal control system for assets
  • external entities responsible for managing high-value assets
  • information technology staff (for technology assets)
  • staff responsible for physical security (for facility assets)

Stakeholders are involved in various tasks in the asset definition and management process, such as

  • planning for the process
  • creating an asset inventory baseline
  • creating asset profiles
  • associating assets with services and analyzing asset-service dependencies
  • managing changes to assets and to the asset inventory
  • reviewing and appraising the effectiveness of process activities
  • resolving issues in the process

[EXD:SG3.SP4] Formalize Relationships

When external entities support the execution of the acquirer's services, they become an extension of the acquirer and should be subject to the same or similar policies, standards, and guidelines as the acquirer's employees. Change procedures should be part of a formal agreement that is established with an external entity. The change procedures should also include procedures for changing any of the agreement provisions by mutual agreement.

Defining and communicating change procedures, including both routine and emergency changes, ensures that changes to assets will be handled in an efficient and controlled manner, consistent with acquirer policy, standards, and guidelines.

The acquirer should ensure that the external entities understand the acquirer's service priorities. When sourcing services, the acquirer should clearly define what the external entity is expected to do, including ensuring that the external entity is trained on the acquirer's processes and procedures. The acquirer and the external entity should work collaboratively to integrate their respective change processes and procedures to ensure that changes to assets are managed.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12 Supply Chain Protection.

ITIL Service Transition, The Stationery Office, 2011, Best Management Practice. Section 4.2.6.4, “Interfaces.”

NIST CSF References: PR.IP-3, PR.MA-1, PR.MA-2

Q3

CERT-RMM Reference

[EXD:SG3.SP4] Formalize Relationships

When external entities support the execution of the acquirer's services, they become an extension of the acquirer and should be subject to the same or similar policies, standards, and guidelines as the acquirer's employees.

Change procedures should be part of a formal agreement that is established with an external entity. The change procedures should also include procedures for changing any of the agreement provisions by mutual agreement. Defining and communicating change procedures, including both routine and emergency changes, ensures that changes to assets will be handled in an efficient and controlled manner, consistent with acquirer policy, standards, and guidelines.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.1.1 Integrators - Verification and Validation Requirements.

Use multiple and complementary monitoring and auditing approaches and leverage existing data to analyze for supply chain risk during sustainment.

Evaluate the changes in maintenance agreements (e.g., physical move to different location/ offshoring, changes in ownership, outsourcing, and change in key personnel) and manage risks associated with them.

ISO 27036-1, “IT-Security Techniques-Information Security for Supplier Relationships,” 5.5C ICT Supply Chain Considerations.

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5, “Process Activities, Methods and Techniques.”

NIST CSF References: ID.SC-1, ID.SC-3, ID.SC-4

Q4

CERT-RMM References

[MON:SG1.SP1] Establish Monitoring Program

Establish and maintain the program for identifying, collecting, and distributing monitoring information.

[EXD:SG4.SP1] Monitor External Entity Performance

The performance of external entities is monitored to ensure against specifications, including:

  • controls and control environments
  • financial condition and management practices of the external entity
  • service continuity and incident management plans
  • compliance practices and performance

[CTRL:SG4.SP1] Assess Controls

Assessing the control system at external entities is an ongoing activity that allows the acquirer to measure the effectiveness of controls across resilience activities. For example, through monitoring and ongoing measurement and analysis, the acquirer can determine whether controls at external entities are satisfying control objectives, strategies for protecting and sustaining services and assets, and resilience requirements. These activities can also ascertain if controls for resilience activities are effective and producing the intended results. Monitoring and measurement are two ways that the acquirer collects necessary data (and invokes a vital feedback loop) to know how well controls are performing in support of the operational resilience of high value services.

NIST Reference

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(8) Supply Chain Protection | Use of All Source Intelligence.

ISO 27036-2, “IT-Security Techniques-Information Security for Supplier Relationships,”7.4.3 Supplier Relationship Agreement Process - Activities.

NIST CSF References: ID.SC-1, ID.SC-4, DE.CM-6

Q5

CERT-RMM Reference

[TM:SG5.SP3] Manage Technology Capacity

Capacity is a significant factor in meeting the availability requirements of technology assets and, in turn, of the services that rely on these assets.

Consideration of capacity to ensure technology availability and meet business objectives requires a proactive approach to managing demand and anticipating future needs. Capacity management should be part of a formal agreement that is established with an external entity. Defining and communicating a capacity management strategy and the related requirements helps ensure that assets will meet the resilience requirements of the service.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.4 Share Information within Strict Limits.

Acquirers, integrators, and suppliers need to share data and information. For the purposes of ICT SCRM, information sharing is the process by which acquirers, integrators, and suppliers (including COTS) exchange pertinent data and information. The data and information that may be shared can span the entire system or element life cycle and the entire supply chain. Content to be shared may include data and information about the use of elements, users, acquirer, integrator, or supplier organizations, as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices.

ITIL Service Transition, The Stationery Office, 2011, Best Management Practice. Section 4.2.6.4, “Interfaces.”

NIST CSF References: ID.SC-3, ID.SC-4, PR.DS-4

Goal 5 – Supplier transitions are managed.
The purpose of this goal is to assess whether the acquirer manages transitions of supplier relationships based on business considerations (insolvency, nonperformance, new technology, etc.).
1. Has the acquirer identified criteria or conditions that would cause it to terminate supplier formal agreements?
No
2. Has the acquirer planned the actions it will take to sustain the critical service if one or more supplier formal agreements are terminated (by either the acquirer or supplier)?
N/A
3. Does the acquirer use lessons learned from supplier transitions to refine its external dependency management processes?
Yes
Option(s) for Consideration
Q1

CERT-RMM Reference

[EXD:SG4.SP2] Correct External Entity Performance

Corrective actions are implemented to support external entity performance as necessary.

Implementing corrective actions is a necessary part of managing external entity performance. The objective of any corrective action is to minimize the disruption to the organization's operation or the risk of any such disruption based on external dependencies. The range of corrective actions should be established in the agreement with the external entity, and an evaluation of alternatives should be completed prior to implementing corrective actions.

Additional References

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.5 Respond to Findings.

Response strategies may be implemented over a period of time, documenting implementation plans in the system's Plan of Action and Milestones (POA&M). As weaknesses are found, response actions are evaluated and any mitigation actions are conducted immediately or are added to the POA&M.

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5.6, “Contract Renewal or Termination.”

NIST CSF References: ID.SC-1, ID.SC-3, PR.IP-2

Q2

CERT-RMM Reference

[EXD:GG2.GP1] Establish Process Governance

Establish and maintain governance over the planning and performance of the external dependencies management process. Governance over the external dependencies may include:

  • providing guidance on identifying, assessing, and managing operational risks related to external dependencies;
  • verifying that the process supports strategic resilience objectives and is focused on the assets and services that are of the highest relative value in meeting strategic objectives.

Additional References

NIST Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations", SA-12(13) Supply Chain Protection | Critical Information System Components.”

Adversaries can attempt to impede organizational operations by disrupting the supply of critical information system components or corrupting supplier operations. Safeguards to ensure adequate supplies of critical information system components include, for example: (i) the use of multiple suppliers throughout the supply chain for the identified critical components; and (ii) stockpiling of spare components to ensure operation during mission-critical times.

OCC Bulletin 2013-29. Subject: Third-Party Relationships United States Department of the Treasury, October 30, 2013, section: Risk Management Lifecycle, Termination.

(. . . ) Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank's or third party's business strategy. In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

  • Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank's third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
  • Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
  • Independent reviews: Conducting periodic independent reviews of the risk management process management to assess whether the process aligns with the bank's strategy and effectively manages risk posed by third-party relationships.

ITIL Service Design, The Stationery Office, 2011, Best Management Practice. Section 4.8.5.6, “Contract Renewal or Termination.”

ITIL Service Strategy, The Stationery Office, 2011, Best Management Practice. Section 3.7.3, “Multi- vendor Sourcing.”

NIST CSF References: ID.SC-1, ID.SC-3

Q3

CERT-RMM Reference

[EXD:GG3.GP2] Collect Improvement Information

Collect external dependencies work products, measures, measurement results, and improvement information derived from planning and performing the process to support the future use and improvement of the organization's processes and process assets.

[EXD:SG4.SP2] Correct External Entity Performance

Corrective actions should be documented in accordance with specifications in the agreement and used to inform and improve ongoing monitoring of the external entity.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 4.1.1.e Integrators - Acquirer Programmatic Activities.

Define processes by which general supply chain information and lessons learned will be collected and shared between acquirers, integrators, and suppliers as scoped within the contract. Define how this information should be protected based on acquirer, integrator, and supplier agreements.

NIST CSF References: ID.SC-1, PR.IP-7, PR.IP-8

Goal 6 – Infrastructure and governmental dependencies are managed.
The purpose of this goal is to assess whether the acquirer identifies and manages the risks of dependence on infrastructure providers and governmental services.
1. Does the acquirer have a process to periodically review and update resilience requirements for infrastructure providers that support the critical service?
Unanswered
2. Has responsibility been assigned for monitoring the performance of infrastructure providers that support the critical service?
Alternate
3. Has responsibility been assigned for managing relationships with the providers of governmental services that support the critical service?
No
4. Are performance (or other) issues involving infrastructure providers and governmental services communicated to stakeholders for use in managing the dependency?
N/A
5. Does the acquirer’s risk monitoring include performance (or other) issues involving infrastructure providers and government services?
Yes
Option(s) for Consideration
Q1

CERT-RMM References

[EXD:SG3.SP2] Establish Resilience Specifications for External Dependencies

Periodically review and update resilience specifications for external dependencies and entities as conditions warrant.

[EC:SG4.SP4] Manage Dependencies on Public Infrastructure

Identify and document infrastructure dependencies that the organization relies upon to provide services. Remember that these dependencies may be internal as well as external, particularly where the organization has control over certain aspects of facility infrastructure, such as power or telecommunications that they provide for their own operations.

Typically, this activity results from business impact analysis. However, it can be included as part of service continuity planning or facility asset definition, depending on the organization. A resulting list of public infrastructure providers for each facility should be documented and made available for inclusion in service continuity plans as appropriate.

Additional References:

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 3 TASK 4-2: Risk Monitoring.

Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes.

. . . organizations should monitor compliance, effectiveness, and change. Monitoring compliance within the context of ICT SCRM involves monitoring an organization's processes and ICT products and services for compliance with the established security and ICT SCRM requirements. Monitoring effectiveness involves monitoring the resulting risks to determine whether these established security and ICT SCRM requirements produce the intended results. Monitoring change involves monitoring the environment for any changes that would require changing requirements and mitigations/controls to maintain an acceptable level of ICT supply chain risk.

ISO 27036-3, “IT-Security Techniques-Information Security for Supplier Relationships,” 6.4.2e. NIST CSF

References: ID.BE-1, ID.BE-5, ID.SC-3

Q2

CERT-RMM Reference

[EXD:SG4.SP1] Monitor External Entity Performance

Establish procedures and responsibility for monitoring external entity performance and inspecting any external entity deliverables....All agreement specifications should be considered for monitoring; it may be appropriate to prioritize monitoring and inspection activities based on a risk analysis of the specifications. Monitoring and inspection procedures should address the external entity's required characteristics, required behaviors, and required performance parameters.

The acquirer should have a process to track the organizational owner of the external entity relationship (i.e., the department and/or person in the organization who is responsible for the relationship with the external entity).

Additional References

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.3 Implement a Continuous Monitoring Program.

NIST CSF References: ID.AM-6, ID.GV-2, ID.SC-4

Q3

CERT-RMM References

[EXD:GG2.GP7] Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the external dependencies management process as planned.

Subpractices

Identify process stakeholders and their appropriate involvement.

Because external entities may reside in a wide range of physical locations and provide and support numerous processes, services, and assets, a substantial number of stakeholders are likely to be external to the organization.

These are examples of stakeholders of the plan for the external dependencies management process:

  • internal and external owners and custodians of organizational assets
  • internal and external service owners
  • organizational unit and line of business managers responsible for high-value assets and the services they support
  • staff responsible for managing operational risks arising from external dependencies and relationships with external entities
  • staff responsible for establishing, implementing, and maintaining an internal controls system for organizational assets where an external dependency and an external entity is involved
  • staff required to develop, test, implement, and execute service continuity plans that involve external dependencies and external entities
  • acquisition and procurement staff
  • internal and external auditors

[EC:SG4.SG3] Manage dependencies on public services

Public services generally include services that are specific to the geographical region. Public services include

  • fire response and rescue services
  • local and, in some cases, federal law enforcement (police, National Guard, FBI, etc.)
  • emergency management services, including paramedics and first responders

Additional References

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.3 Implement a Continuous Monitoring Program.

NIST CSF References: ID.AM-6, ID.GV-2, ID.SC-4

Q4

CERT-RMM Reference

[EXD:GG2.GP7] Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the external dependencies management process as planned.

Subpractices:

Identify process stakeholders and their appropriate involvement.

Because external entities may reside in a wide range of physical locations and provide and support numerous processes, services, and assets, a substantial number of stakeholders are likely to be external to the organization.

These are examples of stakeholders of the plan for the external dependencies management process:

  • internal and external owners and custodians of organizational assets
  • internal and external service owners
  • organizational unit and line of business managers responsible for high-value assets and the services they support
  • staff responsible for managing operational risks arising from external dependencies and relationships with external entities
  • staff responsible for establishing, implementing, and maintaining an internal controls system for organizational assets where an external dependency and an external entity is involved
  • staff required to develop, test, implement, and execute service continuity plans that involve external dependencies and external entities
  • acquisition and procurement staff
  • internal and external auditors

Additional References

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.3 Implement a Continuous Monitoring Program.

Part of the implementation stage of the continuous monitoring process is effectively organizing and delivering ISCM data to stakeholders in accordance with decision-making requirements. Tools and methodologies are chosen for the organization-wide ISCM architecture, in order to help ensure that risk- based decisions are informed by accurate, current security-related information.

NIST 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section AC-21 Collaboration and Information Sharing.

Organizations should clearly define boundaries for information sharing with respect to temporal, informational, contractual, security, access, system, and other requirements. Organizations should monitor and review for unintentional or intentional information sharing within its ICT supply chain activities including information sharing with system integrators, suppliers, and external service providers.

NIST CSF References: ID.SC-4

Q5

CERT-RMM Reference

[RISK:SG5.SP2] Implement Risk Strategies

Risk strategies and mitigation plans are implemented and monitored.

Effective management and control of risk requires the organization to monitor risk and the status of risk strategies. Because the operational environment is constantly changing, risks identified and addressed may need to be revisited, and a new disposition and strategy may need to be developed.

NIST Reference

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.”

NIST CSF References: ID.RM-1, ID.SC-1

Goal 7 – External entity access to acquirer assets is managed.
The purpose of this goal is to assess whether the acquirer manages the risk that access granted to external entities could be misused to disrupt the critical service. These questions involve access granted to any external entity, not only those that specifically support the critical service.
1. Are both local and remote access to acquirer assets that support the critical service granted based on the assets’ protection requirements?
Unanswered
2. Does the acquirer have a process to appropriately modify access privileges when an external entity has personnel changes such as terminations, promotions, or job changes?
Alternate
3. Does the acquirer periodically review external entity access privileges – granted to external entity personnel or systems – to identify and correct inappropriate access privileges to acquirer assets?
3.1 Information
N/A
3.2 Technology
Yes
3.3 Facilities
Unanswered
4. Does the acquirer identify inappropriate access attempts (for example by periodically reviewing access logs) by external entity personnel or systems to acquirer assets?
4.1 Information
No
4.2 Technology
N/A
4.3 Facilities
Yes
Option(s) for Consideration
Q1

CERT-RMM Reference

[AM:SG1.SP1] Enable Access

Access privileges are assigned and approved by asset owners based on the role of the person, object, or entity that is requesting access. Asset owners are the persons or organizational units, internal or external to the organization, who have primary responsibility for the viability, productivity, and resilience of a high-value organizational asset. It is the owner's responsibility to ensure that requirements for protecting and sustaining assets are defined for assets under their control. In part, these requirements are satisfied by defining and assigning access privileges that are commensurate with the requirements. Therefore, the asset owner is responsible for granting and revoking access privileges to an identity based on the identity's role and the asset's resilience requirements. To be successful, asset owners must be aware of identities that need access to their assets and must evaluate the need with respect to business and resilience requirements before granting approval.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, AC-17 Remote Access

The organization:

  1. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
  2. Authorizes remote access to the information system prior to allowing such connections.

ISO 27036-3, “IT-Security Techniques-Information Security for Supplier Relationships,” 6.2.2 Infrastructure Management Process.

NIST CSF References: PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-6, PR.AC-7, PR.MA-2

Q2

CERT-RMM Reference

[AM:SG1.SP2] Manage Changes to Access Privileges

The continual evolution of the operational environment and the identity community (persons, objects, and entities) requires constant changes to be made to access privileges to organizational assets. There are many different scenarios that may result in legitimate changes to access privileges, such as

  • changes in job responsibilities and roles, such as when employees are promoted, take other positions in the organization, or leave the organization
  • changes to outsourcing arrangements or the roles of external contractors
  • changes to internal and external systems and processes that access organizational assets
  • changes in the identity community (i.e., addition or deletion of identity, changes to the identity's roles) (Changes to the identity community are addressed in ID:SG2.SP1 in the Identity Management process area.)
  • changes to the assets to which access privileges are provided and/or changes to the asset's resilience requirements (which could cascade through all access privileges)
  • periodic review and maintenance of access privileges (as described in AM:SG2.SP3)
  • In order to get a handle on this ever-changing environment, the organization must establish criteria to determine when a change in the operational environment would trigger a change in access privileges.

Owners of organizational assets have a role in the change management of access privileges. Owners are responsible for initiating and approving changes as required before corresponding access controls are modified to accommodate the changes. This may involve communication between asset owners and asset custodians who are responsible for implementing and maintaining those access controls. Owners are also responsible for following up to ensure that access privileges have been granted only to the approved limit.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, AC-2, Account Management.

  1. Identifies and selects the following types of information system(s)
  2. Assigns account managers for information system accounts;
  3. Establishes conditions for group and role membership;
  4. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  5. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
  6. Creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions;
  7. Monitors the use of information system accounts;
  8. Notifies account managers:
    1. When accounts are no longer required;
    2. When users are terminated or transferred; and
    3. When individual information system usage or need-to-know changes;
  9. Authorizes access to the information system based on:
    1. A valid access authorization;
    2. Intended system usage; and
    3. Other attributes as required by the organization or associated missions/business functions;
  10. Reviews accounts for compliance with account management requirements and
  11. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.2 Limit Access and Exposure within the Supply Chain.

NIST CSF References: PR.AC-1, PR.AC-2, PR.AC-3, PR.IP-11

Q3

CERT-RMM Reference

[AM:SG1.SP3] Periodically Review and Maintain Access Privileges

Establish regular review cycle and process. The mismanagement of access privileges is a major source of potential risks and vulnerabilities to the organization. Because assets and the identity community that needs access to the assets are pervasive across the organization, and in some cases extend beyond the organization, the ability to ensure that only authorized identities have appropriate privileges is an ongoing challenge. The organization must establish responsibility for regular review of access privileges and a process for correcting inconsistencies. The review cycle should consider the potential risks of excessive privileges as input to the time interval for performing regular review. Where access privileges provide rights (such as “superusers”), the review cycle may need to be more frequent.

1. Perform periodic review of access privileges by asset. Periodic review of access rights is the responsibility of the owners of organizational assets. Reviews should be performed in accordance with the time intervals determined in AM:SG1.SP3, Subpractice 1. In addition to identifying inconsistencies and misalignment, periodic review should also be performed to reaffirm the current need for access privileges.

2. Identify inconsistencies or misalignment in access privileges. Asset owners should document any inconsistencies or misalignment in access privileges. Owners should identify privileges that are:

  • excessive
  • out of alignment with the identity's role or job responsibility
  • assigned but never approved by the asset owner
  • in violation of the asset's resilience requirements

Owners should also identify identities that may have been provisioned with access privileges but are no longer considered as valid identities. A disposition for each inconsistency or misalignment should be documented, as well as the actions that need to be taken to correct these issues.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 4.2 Limit Access and Exposure within the Supply Chain.

NIST CSF References: PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4

Q4

CERT-RMM Reference

[IMC:SG2.SP1] Detect and Report Events

Events are detected and reported. The monitoring, identification, and reporting of events is the foundation for incident identification and commences the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine if the event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, AC-2(12) Account Management | Account Monitoring / Atypical Usage.

(b) Reports atypical usage of information system accounts to (appropriate staff).

Supplemental Guidance: Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

NIST CSF References: PR.AC-1, PR.AC-2, PR.AC-3, PR.MA-2

Remarks - Relationship Management and Governance - MIL-1

No remarks have been entered

Service Protection and Sustainment - MIL-1

Goal 1
Q1
Q2
Q3
Q4
IM
SC
Q5
IM
SC
Goal 2
Q1
IM
SC
Q2
IM
SC
Q3
Q4
Goal 3
Q1
Q2
Q3
S
IP
Q4
Q5
Q6

The purpose of Service Protection and Sustainment is to assess whether the acquirer accounts for its dependence on external entities as part of its operational activities around managing incidents and threats. This includes integrating external entity considerations into the acquirer's disruption planning - typically incident management and business continuity, validating controls at external entities, and maintaining situational awareness activities directed at external dependencies.

Goal 1 – Disruption planning includes external dependencies.
The purpose of this goal is to assess whether the acquirer accounts for external dependencies as part of its incident management and service continuity processes.
1. Does the acquirer have an incident management plan to protect the critical service?
Yes
2. Have incident declaration criteria that support the critical service been established and communicated to relevant external entities?
Unanswered
3. Does the acquirer have a documented service continuity/business continuity plan to sustain the critical service?
Alternate
4. Do the acquirer’s plans account for dependence on external entities?
4.1 Incident management
N/A
4.2 Service continuity
Yes
5. Do relevant external entities participate in the acquirer’s planning activities?
5.1 Incident management
Alternate
5.2 Service continuity
No
Option(s) for Consideration
Q1

CERT-RMM Reference

[IMC:SG1.SP1] Plan for Incident Management

Establish the incident management plan. The incident management plan should address, at a minimum

  • the acquirer's philosophy for incident management
  • the structure of the incident management process
  • the requirements and objectives of the incident management process relative to managing operational resilience
  • a description of how the acquirer will identify incidents, analyze them, and respond to them
  • the roles and responsibilities necessary to carry out the plan
  • applicable training needs and requirements

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, IR-4 Incident Handling.

  1. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
  2. Coordinates incident handling activities with contingency planning activities; and
  3. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting A. changes accordingly.

NIST Special Publication 800-61, “Computer Security Incident Handling Guide,” Handbook for Computer Security Incident Response Teams (CSIRTs).

NIST CSF References: ID.SC-5, PR.IP-9

Q2

CERT-RMM References

[IMC:SG3.SP1] Define and Maintain Incident Declaration Criteria

Each organization has many unique factors that must be considered in determining when to declare an incident. Through experience, an organization may have a baseline set of events that define standard incidents, such as a virus outbreak, unauthorized access to a user account, or a denial-of-service attack. However, in reality, incident declaration may occur on an event-by-event basis.

To guide the organization in determining when to declare an incident (particularly if incident declaration is not immediately apparent), the organization must define incident declaration criteria.

[IMC:GG2.GP7] Involve Stakeholders

Stakeholders for the incident management and control process may extend across the organization and externally to business partners and vendors.

Additional References

NIST 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section AC-21 Collaboration and Information Sharing.

Sharing information within the ICT supply chain can help to manage ICT supply chain risks. This information may include vulnerabilities, threats, criticality of systems and components, or delivery information. This information sharing should be carefully managed to ensure that the information is accessible only to authorized individuals within the organization's ICT supply chain.

NIST Special Publication 800-61, “Computer Security Incident Handling Guide,” Section 3.3.1 Choosing a Containment Strategy.

NIST CSF References: DE.AE-5

Q3

CERT-RMM Reference

[SC:SG3.SP2] Develop and document Service Continuity Plans

Document the service continuity plans using available templates as appropriate. A service continuity plan typically includes the following information:

  • identification of authority for initiating and executing the plan (plan ownership)
  • identification of the communication mechanism to initiate execution of the plan

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,,” Section 3 Contingency Planning, 74.

Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, CP-2(1) Contingency Plan | Coordinate with Related Plans.

NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems,” Chapter 3.

ISO 22301, “Societal Security - Business continuity management systems - Requirements,” Section 6 Planning.

NIST CSF References: ID.SC-5, PR.IP-9

Q4

CERT-RMM References

[EXD:SG2.SP2] Mitigate Risks Due to External Dependencies

The mitigation of risk due to external dependencies involves the development of strategies that seek to minimize the risk to an acceptable level. This includes reducing the likelihood of risks, minimizing exposure to them, developing service continuity plans, and developing recovery and restoration plans to address the consequences of realized risk.

[SC:SG3.SP2] Develop and Document Service Continuity Plans

The organization or its assigned representatives develop required service continuity plans. The service owner typically develops service continuity plans, but this may vary. Sub- practices that apply to the involvement and consideration of external entities include identification of

  • vital staff roles and responsibilities
  • high-value technology assets needed to support the plan
  • high-value information assets and vital records necessary to support the plan
  • high-value facilities necessary to support the plan
  • coordination activities required
  • levels of authority at external entities

Additional References

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 3 Contingency Planning, 74.

ICT supply chain concerns of contingency planning include planning for alternative suppliers of system components, alternative suppliers of systems and services, denial of service attacks to the supply chain, and planning for alternate delivery routes for critical system components. Additionally, many techniques used for contingency planning, such as alternative processing sites, have their own ICT supply chains including their own specific ICT supply chain risks. Organizations should ensure that they understand and manage ICT supply chain risks and dependencies related to the contingency planning activities as necessary.

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” Section 2.2 Foundational Practices.

Ensure that a robust incident management program is in place to successfully identify, respond to, and mitigate security incidents. This program should be capable of identifying causes of security incidents, including those originating from the supply chain.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 3 Contingency Planning, 74.

ICT supply chain concerns of contingency planning include planning for alternative suppliers of system components, alternative suppliers of systems and services, denial of service attacks to the supply chain, and planning for alternate delivery routes for critical system components. Additionally, many techniques used for contingency planning, such as alternative processing sites, have their own ICT supply chains including their own specific ICT supply chain risks. Organizations should ensure that they understand and manage ICT supply chain risks and dependencies related to the contingency planning activities as necessary.

NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems,” Chapter 3.

NIST CSF References: ID.SC-2, ID.SC-5, PR.IP-9

Q5

CERT-RMM References

[IMC:GG2.GP7] Identify and Involve Relevant Stakeholders

Stakeholders of the incident management and service continuity processes may extend across the organization and externally to business partners and vendors. These can include external entities involved in process activities and responsible for managing high-value assets.

[SC:SG2.SP2] Identify Internal and External Dependencies and Interdependencies

Services depend on organizational assets, both internal and external, to ensure continuity of operations. They also rely on external partnerships such as public agencies and infrastructure such as public utilities and telecommunications. These dependencies and interdependencies must be identified in order to ensure a robust consideration of the range of planning that must be incorporated into the service continuity plans.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, CP-4(1) Contingency Plan Testing | Coordinate with Related Plans.

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

Supplemental Guidance: Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

NIST 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section AC-21 Collaboration and Information Sharing.

NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems,” Chapter 3.5 Plan Testing, Training, and Exercises (TT&E).

ISO 22301, “Societal Security - Business continuity management systems - Requirements,” Sections 6 and 7.

NIST CSF References: ID.SC-5, PR.IP-9

Goal 2 – Planning and controls are maintained and updated.
The purpose of this goal is to assess whether the acquirer's controls and plans are regularly tested and updated with respect to external dependencies.
1. Are disruption management plans tested cooperatively with relevant suppliers?
1.1 Incident management
Yes
1.2 Service continuity
Unanswered
2. Do changes in external entity relationships trigger a review of disruption management plans?
2.1 Incident management
No
2.2 Service continuity
N/A
3. Are controls at suppliers that support the critical service periodically validated or tested to ensure they meet control objectives?
Yes
4. Does the acquirer have a documented list of triggering events or changes that require testing of controls at suppliers that support the critical service?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM References

[SC:SG5.SP3] Exercise Plans

Test the service continuity plan. On a regular basis, service continuity plans are exercised (tested) according to their test plan. Tests should include the participation of external entities where appropriate. The test should establish the viability, accuracy, and completeness of the plan. It should also provide information about the acquirer's level of preparedness to address the specific area(s) included in the plan.

[IMC:GG2.GP7] Identify and Involve Relevant Stakeholders

Stakeholders for the incident management and control process may extend across the organization and externally to business partners and vendors.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, CP-4(1) Contingency Plan Testing | Coordinate with Related Plans.

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

Supplemental Guidance: Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans.

NIST Special Publication 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,” 6-1 to 6-6.

NIST Special Publication 800-61, “Computer Security Incident Handling Guide,” Section 3.2.3 Procedural Elements.

ISO 22301, “Societal Security - Business continuity management systems - Requirements,” Section 6 Planning and Section 8.5 Exercising and Testing.

NIST CSF References: ID.SC-4, ID.SC-5

Q2

CERT-RMM References

[SC:SG7.SP1] Establish Change Criteria

Because of changing operational and acquirer conditions, service continuity and incident management plans may have a short useful life. Identifying and understanding the types of acquirer and operational triggers that may indicate a need to revisit and revise service continuity plans ensures that these plans remain viable. Criteria for making changes to service continuity and incident management plans may include:

  • changes to services or how those services are delivered
  • relationship changes
  • regulatory changes
  • weaknesses or gaps identified as a result of testing or an activation of the plan

[IMC:GG2.GP8] Monitor and Control the Process

Periodic reviews of the incident management and control process are needed to ensure that

  • the process is known and accessible
  • events and incidents are identified, reported, and addressed on a timely basis
  • events and incidents are logged and closed
  • events are properly triaged and analyzed for root causes
  • incidents are properly declared
  • incidents are properly escalated to designated stakeholders
  • incidents are communicated appropriately to stakeholders at a level commensurate with their involvement
  • event and incident status reports are provided to appropriate stakeholders in a timely manner
  • post-incident reviews are performed to improve the process
  • actions requiring management involvement are elevated in a timely manner
  • the performance of process activities is being monitored and regularly reported

Additional References

NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems,” Chapter 3.6 Plan Maintenance.

To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. As identified as part of RMF Step 6 (Continuous Monitoring), a continuous monitoring process can provide organizations with an effective tool for plan maintenance, producing ongoing updates to security plans, security assessment reports, and plans of action and milestone documents.

As a general rule, the plan should be reviewed for accuracy and completeness at an organization-defined frequency or whenever significant changes occur to any element of the plan. Certain elements, such as contact lists, will require more frequent reviews. The plans for moderate- or high-impact systems should be reviewed more often.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.”

NIST CSF References: ID.SC-2, ID.SC-3

Q3

CERT-RMM References

[EXD:SG4.SP1] Monitor External Entity Performance

The performance of external entities is monitored to ensure against specifications, including:

  • controls and control environments
  • financial condition and management practices of the external entity
  • service continuity and incident management plans
  • compliance practices and performance

[CTRL:SG4.SP1] Assess Controls

Assessing the control system at external entities is an ongoing activity that allows the acquirer to measure the effectiveness of controls across resilience activities. For example, through monitoring and ongoing measurement and analysis, the acquirer can determine whether controls at external entities are satisfying control objectives, strategies for protecting and sustaining services and assets, and resilience requirements. These activities can also ascertain if controls for resilience activities are effective and producing the intended results. Monitoring and measurement are two ways that the acquirer collects necessary data (and invokes a vital feedback loop) to know how well controls are performing in support of the operational resilience of high value services.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(11) Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors.

The organization employs one or more of the following: organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service.

Supplemental Guidance: This control enhancement addresses analysis and/or testing of the supply chain, not just delivered items. Supply chain elements are information technology products or product components that contain programmable logic and that are critically important to information system functions. Supply chain processes include, for example: (i) hardware, software, and firmware development processes; (ii) shipping/ handling procedures; (iii) personnel and physical security programs; (iv) configuration management tools/measures to maintain provenance; or (v) any other programs, processes, or procedures associated with the production/distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations, ICT SCRM Controls,” 43-49.

NIST CSF References: ID.SC-4

Q4

CERT-RMM Reference

[EXD:SG4.SP1] Monitor External Entity Performance

The performance of external entities is monitored to ensure against specifications, including:

  • controls and control environments
  • financial condition and management practices of the external entity
  • service continuity and incident management plans compliance practices and performance

[CTRL:SG4.SP1] Assess Controls

Assessing the control system at external entities is an ongoing activity that allows the acquirer to measure the effectiveness of controls across resilience activities. For example, through monitoring and ongoing measurement and analysis, the acquirer can determine whether controls at external entities are satisfying control objectives, strategies for protecting and sustaining services and assets, and resilience requirements. These activities can also ascertain if controls for resilience activities are effective and producing the intended results. Monitoring and measurement are two ways that the acquirer collects necessary data (and invokes a vital feedback loop) to know how well controls are performing in support of the operational resilience of high-value services.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” 4.2.7 Integrator - Verification and Validation Requirements.

Demonstrate that a mix of personnel, physical, and logical access controls are implemented which provide a level of protection commensurate with the sensitivity/criticality of the services provided or the elements procured.

  1. Perform technical and procedural audits of mechanisms used to shield information related to elements, including uses, requirements, and metadata.
  2. Employ Red Team approaches to identify potential pathways or opportunities for adversaries to exploit deficits or weaknesses in supply chain processes that would result in the exposure of the element or associated information including uses of element.
  3. Assess the effectiveness of alternative configurations in protecting access of elements, processes, systems, and information for the purposes of confidentiality, integrity, and availability.
  4. Test internal access controls for the ability to detect anomalous behavior and facilitate timely intervention to prevent or reduce adverse consequences.

NIST Special Publication 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations,” Section 3 ICT SCRM Controls, 43-49.

NIST CSF References: ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4

Goal 3 – Situational awareness extends to external dependencies.
The purpose of this goal is to assess whether the acquirer's situational awareness activities include external dependencies. Satisfying this goal means that the acquirer may monitor information sources for threats to key external entities.
1. Has the acquirer assigned responsibility internally for monitoring sources of threat information?
Alternate
2. Has the acquirer implemented threat monitoring procedures, including how threats are received and responded to?
No
3. Does the acquirer identify external entities that it should include as part of its threat monitoring activities?
3.1 Suppliers
Yes
3.2 Infrastructure providers
Unanswered
4. Do the acquirer and relevant external entities exchange information about threats to the critical service?
Alternate
5. Does the acquirer participate in or take advantage of industry consortia (i.e., InfraGard, Coordinating Councils, Council of Supply Chain Management) to detect threats to the acquirer and external entities?
No
6. Are threats to external entities reported to internal stakeholders for use in managing the dependency?
N/A
Option(s) for Consideration
Q1

CERT-RMM Reference

[MON:SG1.SP2] Identify Stakeholders

Identify stakeholders of the monitoring process. The list should include internal and external stakeholders and should be seeded by examining operational resilience management processes and their organizational owners. Stakeholders of the organization’s monitoring processes are those internal and external people, entities, or agencies that require information about the operational resilience management processes for which they have responsibility and for which they must achieve resilience goals, objectives, and obligations.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” 2.2 Foundational Practices.

Assign roles and responsibilities to specific individuals, including who has the required authority to take action, who has accountability for an action or result, and who should be consulted and/or informed.

Ensure information system security, acquisition personnel, legal counsel, and other appropriate advisors and stakeholders are participating in decision making from system concept definition/review and are involved in, or approve of, each milestone decision through the entire system life cycle for federal systems.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 2.1 Organization-wide View of ISCM.

NIST CSF References: ID.AM-6, ID.RA-2, PR.AT-5

Q2

CERT-RMM Reference

[MON:SG2.SP2] Establish Collection Standards and Guidelines

Review, refine, and develop monitoring operating procedures. Detailed processes, standard operating procedures, or work instructions may be created during monitoring infrastructure implementation, but they will need to be regularly reviewed, tailored, and possibly supplemented to meet ongoing monitoring needs.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SI-4 Information System Monitoring.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” 19-26.

NIST CSF References: ID.RA-2, ID.RA-3

Q3

CERT-RMM Reference

[MON:SG1.SP3] Establish Monitoring Requirements

The scope of the monitoring activity determines how extensive the organization's processes must be and may be a deciding factor in how the organization develops and implements appropriate infrastructure to meet the requirements of stakeholders. The scope is a direct reflection of the needs and requirements of stakeholders.

The requirements of stakeholders must clearly establish the information and data that they need on a regular basis to manage, measure, direct, control, and improve processes for which they have responsibility.

NIST Reference

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, Section 2.5 External Service Providers.

NIST CSF References: ID.RA-3, PR.IP-8, RS.CO-5

Q4

CERT-RMM References

[MON:SG2.SP2] Establish Collection Standards and Guidelines

Collected and recorded information is distributed to appropriate stakeholders. The continuous and effective management of operational resilience is highly dependent on information collected in the monitoring process. Some of the key objectives of monitoring and information distribution are

  • identifying, preventing, and responding to threats and disruptive events
  • determining the effectiveness of strategies to protect and sustain assets and services
  • determining the effectiveness of resilience management processes
  • improving resilience management processes

To meet these objectives, monitoring information must be available for use when needed by stakeholders, internally and externally. Thus, the acquirer must establish viable distribution methods and channels to move collected information to stakeholders as requested in a reliable and consistent manner.

[COMM:SG3.SP2] Establish and maintain communications infrastructure

Communicate threat information to key internal and external stakeholders. Implement and manage the communications infrastructure.

Additional References

NISTIR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems,” 2.1 Challenges.

Furthermore, acquirer, integrator, and supplier organizations generally implement quality and security through two separate enterprise operational organizations. Supply chain quality and security vulnerabilities are likely to be addressed through these separate organizations. Whether addressing intentional or unintentional vulnerabilities and related mitigations, cross-communication between these two enterprise organizations is required to holistically approach ICT SCRM.

NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems,” 14-15.

NIST CSF References: ID.RA-2, PR.IP-8, RS.CO-5

Q5

CERT-RMM References

[MON:SG2.SP1] Establish and Maintain Monitoring Infrastructure

Effective operational risk management and situational awareness requires organizations to establish a monitoring infrastructure commensurate with meeting monitoring requirements. Monitoring is a data-collection-intensive activity that is often dependent on supporting services and infrastructure that span the organization and often extend outside the organization. Some of the key reasons for leveraging external resources (e.g., umbrella or industry groups, regulatory agencies, cyber-threat assessment vendors) include

  • organizations may not have a core competency in collecting information
  • the scope and breadth of the threat landscape make it too complex and costly to collect and process that information
  • leveraging organizations whose primary mission is the collection, analysis, and dissemination of threat information is more effective and efficient

[MON:GG2.GP7] Identify and Involve Relevant Stakeholders

These are examples of stakeholders of the monitoring process (refer to MON:SG1.SP2):

  • boards of directors and governors
  • higher level and other managers
  • service owners and asset owners and custodians
  • information technology staff, such as system administrators and CSIRT teams
  • business partners, vendors, and outsourcers
  • police and security guards
  • public agencies
  • regulatory bodies
  • internal and external auditors
  • owners of operational resilience management processes
  • staff identified as being associated with each process requirement, program, and distribution channel
  • staff identified as being associated with each external entity that is collecting and distributing monitoring data

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, SA-12(8) Supply Chain Protection| Use of All- Source Intelligence.

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

Supplemental Guidance: All-source intelligence analysis is employed by organizations to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open-source data in the production of finished intelligence. Where available, such information is used to analyze the risk of both intentional and unintentional vulnerabilities from development, manufacturing, and delivery processes, people, and the environment. This review is performed on suppliers at multiple tiers in the supply chain sufficient to manage risks.

Related control: SA-15

NIST Special Publication 800-137, “Information Security Continuous Monitoring for Federal Information Systems and Organizations.”

NISTIR 7756, “CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model (Second Draft).”

NIST CSF References: ID.RA-2, RS.CO-5

Q6

CERT-RMM References

[MON:SG1.SP3] Establish Monitoring Requirements

The scope of the monitoring activity determines how extensive the organization's processes must be and may be a deciding factor in how the organization develops and implements appropriate infrastructure to meet the requirements of stakeholders. The scope is a direct reflection of the needs and requirements of stakeholders. The requirements of stakeholders must clearly establish the information and data that they need on a regular basis to manage, measure, direct, control, and improve processes for which they have responsibility.

Stakeholders are those internal and external people, entities, or agencies that require information about the operational resilience management processes for which they have responsibility and for which they must achieve resilience goals, objectives, or obligations. Relevant stakeholders may include the CEO and CIO, and in the case of external dependencies, may extend to legal counsel and other relationship managers.

[MON:SG2.SP4] Distribute Information

The continuous and effective management of operational resilience is highly dependent on information collected in the monitoring process. This information is useful for

  • identifying, preventing, and responding to disruptive events
  • determining the effectiveness of strategies to protect and sustain assets and services
  • determining the effectiveness of operational resilience management processes
  • improving operational resilience management processes when necessary

To meet these objectives, monitoring information must be available for use when needed by stakeholders. Thus, the organization must establish viable distribution methods and channels to move collected information to stakeholders as-requested in a reliable and consistent manner.

Additional References

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, 2.1 Multitiered Risk Management.

. . . To integrate the risk management process throughout the organization and more effectively address mission/business concerns, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out across the three tiers with the overall objective of continuous improvement in the organization's risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization.

NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” Section 3.3 Implement a Continuous Monitoring Program.

NIST CSF References: PR.IP-8, RS.CO-5

Remarks - Service Protection and Sustainment - MIL-1

No remarks have been entered

Maturity Indicator Levels

MIL2
Q1
Q2
Q3
Q4
Q5
MIL3
Q1
Q2
Q3
Q4
MIL4
Q1
Q2
Q3
MIL5
Q1
Q2
Q3

The maturity indicator level questions below apply to all of the domains in this assessment; Relationship Formation, Relationship Management and Governance, and Service Protection and Sustainment. Achievement of the maturity indicator levels means that external dependencies management is more likely to be effective, consistent, and retained during times of disruption or organizational change. One maturity scale is used because the three domains represent one continuous lifecycle.

MIL2 - Planned
Performance at MIL2 - Planned means that external dependencies management to protect the critical service is not only performed but also supported by sufficient planning, stakeholder involvement, and standards and guidelines.
1. Is there a documented plan for performing external dependencies management?
Yes
2. Is there a documented policy for external dependencies management?
Unanswered
3. Does the plan or policy identify and describe external dependencies management processes?
Alternate
4. Have internal and external stakeholders for external dependencies management activities been identified and made aware of their cybersecurity roles?
No
5. Have external dependencies management standards, guidelines and roles been established and implemented?
N/A
Option(s) for Consideration
Q1

CERT-RMM Reference

Consider developing a plan for performing External Dependencies Management. A plan is developed to ensure that the acquirer and its staff know how external dependencies will be managed across the entire lifecycle of relationships. External dependencies exist when external entities have defined obligations or relationships with assets or services that the acquirer depends on to support the critical service.

Examples include external entities that provide, operate, control, have access to, own, or have other responsibilities with respect to key assets.

The plan should address the resilience specifications for the critical service or the product being provided. The EDM plan should detail how core goals relating to EDM will be performed - for example evaluating suppliers, entering into formal agreements, monitoring changes at external entities, and prioritizing dependencies. The EDM plan will normally also detail the other resilience and security domains that are relevant to EDM at the acquirer. These may include, for example, risk management, incident management, service continuity, or change management. This is important so that resilience processes across the acquirer will adequately support EDM according to consistent requirements and priorities.

In practice, many of the required actions to manage external dependencies may be documented in other plans or documents (for example vendor selection and contracting procedures). The purpose of an EDM plan is not to duplicate or repeat material in other plans or documentation, but rather to clarify and harmonize the roles and responsibilities of staff and processes across the acquirer. For example, the acquirer's service continuity plan may include actions involving suppliers in the event of a natural disaster.

The EDM plan, on the other hand, may detail roles, responsibilities, and processes to ensure that continuity plans are updated based on relevant changes, for example contractual changes that may affect service continuity. The plan may detail how different functions or departments will coordinate their efforts to support EDM.

Plans should explain:

  • who performs EDM practices
  • key stakeholders
  • when and how often they are performed, and
  • the key processes involve in EDM

Typical items addressed in an EDM plan may include:

  • identifying and prioritizing external dependencies
  • associating external dependencies with services and assets
  • managing operational risks resulting from external dependencies
  • evaluating and selecting external entities
  • formalizing and enforcing agreements with external entities, including changing provisions
  • terminations of relationships with external entities
  • change management with external entities
  • integrating external dependencies into incident management and service continuity planning and exercising

Sub practices:

  • Document the plan
  • Document the process description
  • Review the plan with relevant stakeholders and obtain their agreement
  • Revise the plan as necessary
Q2

CERT-RMM Reference

Consider developing policies for external dependencies management. Policy consists of high-level statements by organizational leadership concerning external dependencies management. The purpose of policy is to establish and maintain governance over the planning and performance of external dependencies management. Policy will typically address:

  • responsibility, authority, and ownership for performing activities

  • the importance of external dependencies management

  • the acquirer's approach to its critical services and their prioritization

  • methods for measuring adherence to policy, granting exceptions, and identifying policy violations

  • consequences for non-compliance with policy

  • the acquirer's approach to selecting suppliers and external entities

  • the acquirer's approach to risk management as it pertains to external dependencies

  • enterprise requirements or policies to which external entities are expected to adhere

  • monitoring the performance of external entities

  • issue escalation and dispute resolution

  • applying corrective action to relationships with external entities as specified in formal agreements

  • terminating relationships with external entities as specified in formal agreements
Q3

CERT-RMM Reference

Consider including process descriptions for EDM in policy or plan documents. Process descriptions document the series of actions or specific steps that are necessary to perform external dependencies management activities in a repeatable, predictable manner.

Examples may include:

  • the process to form supplier relationships, for example the steps (“gates”) and approval authorities required for new relationships

  • the actions required to purchase or invest in new technology

  • processes to ensure that external entity concerns are included in risk management. For example, these may include a process to ensure that supplier performance problems are entered into risk registers or other risk monitoring tools.

  • the process to identify external dependencies, for example processes involving checking internal financial statements to identify supplier relationships outside the formal relationship management program.

  • the process to make changes to plans that involve external dependencies management, for example the service continuity, risk management, or incident management plans

  • the process to ensure that requirements for infrastructure providers and governmental services are managed. For example, these processes may focus on advising the corporate staff who interface with infrastructure and governmental authorities about changes and threats to the critical service.

  • the process to transition supplier relationships including, for example, the input of technical staff or critical service business owners at the acquirer.

  • the process to manage external entity access to the acquirer, for example the process to remove access when contractor staff are terminated or change staff positions

Q4

CERT-RMM Reference

Consider identifying stakeholders of the EDM process and engaging them to ensure they are aware of their roles. Examples include:

  • internal and external owners and custodians of organizational assets
  • internal and external service owners
  • organizational unit and line of business managers responsible for high-value assets and the services they support
  • staff responsible for managing operational risk
  • staff responsible for establishing, implementing, and maintaining an internal control system for organizational assets
  • staff required to develop, test, implement, and execute service continuity plans that involve external dependencies
  • acquisition and procurement staff
  • internal and external auditors
Q5

CERT-RMM Reference

Consider developing standards and guidelines for external dependencies management. Examples include:

  • criteria for prioritizing external dependencies
  • templates that define the information required to identify, track and manage external dependencies in databases or information repositories
  • the guidelines and standards required to make risk statements and impact valuations
  • agreement templates, including enterprise specifications that apply to external entities
  • standard RFPs, including applicable requirements
  • criteria for selecting external entities
  • performance-monitoring report standards and templates
  • inspection reports on deliverables
  • corrective-action report standards and examples
MIL3 - Managed
Performance at MIL3 - Managed means that external dependencies management to protect the critical service is performed, planned, and supported by sufficient oversight and resources.
1. Is there management oversight of the performance of external dependencies management?
Yes
2. Are the acquirer’s external dependencies management processes periodically reviewed to identify and manage risks to these processes?
Unanswered
3. Have qualified staff been assigned to perform external dependencies management activities as planned?
Alternate
4. Is there adequate funding to perform external dependencies management activities as planned?
No
Option(s) for Consideration
Q1

CERT-RMM Reference

Consider implementing management oversight of EDM processes. Oversight may involve the following manager activities:

  • defining roles and responsibilities for processes in the EDM plan
  • requiring reporting from staff concerning EDM status and issues
  • developing policy that requires relevant staff to participate in EDM processes
  • including EDM responsibilities in staff performance management goals and objectives, tracking progress against goals, and counseling or disciplining staff based on performance
Q2

CERT-RMM Reference

Consider managing risks to EDM practices and processes. Examples of risks include:

  • the acquirer's incorrect prioritization of external dependencies, related to insufficient standards or process definition
  • the risk of variability or inaccuracies in risk statements or valuations relating to external dependencies
  • imprecise supplier selection criteria and the risk of improper influence of acquirer staff
  • enterprise specifications and baseline requirements for contracts, and the risk that regulatory compliance requirements may change
  • risks related to a lack of skilled staff or knowledge, for example the risk that staff are unaware that specific proprietary software may include open source segments or modules that can introduce unforeseen vulnerabilities
  • the risk that centrally (or corporate) managed relationships with infrastructure or governmental service providers may not adequately account for the critical service's resilience requirements
Q3

CERT-RMM Reference

Consider ensuring that responsible staff are trained in skills required in external dependencies management. These are examples of skills required:

  • identifying and prioritizing external dependencies
  • elicitation of resilience specifications to be reflected in RFPs and agreements with external entities
  • evaluating and selecting external entities
  • negotiating agreements with external entities
  • knowledge of tools, techniques, and methods that can be used to identify, analyze, mitigate, and monitor operational risks
  • managing relationships with external entities
  • monitoring the performance of external entities, including the inspection of deliverables and knowing when corrective actions are required
  • technical skills to evaluate technology that the acquirer is considering procuring
Q4

CERT-RMM Reference

Consider ensuring that external dependencies management activities are adequately funded. Funding the process should extend beyond the initial development of the activities, and include maintenance and refresh.

MIL4 - Measured
Performance at MIL4 - Measured means that external dependencies management to protect the critical service is performed, planned, managed, and supported by controls, monitoring, and effectiveness measures.
1. Are external dependencies management activities measured and periodically reviewed to ensure they are effective and producing intended results?
N/A
2. Are external dependencies management activities periodically reviewed to ensure they are adhering to the plan?
Yes
3. Is higher level management aware of issues related to the performance of external dependencies management?
Unanswered
Option(s) for Consideration
Q1

CERT-RMM Reference

Consider measuring and periodically reviewing EDM processes to ensure they are effective and producing intended results. Example measures may include:

  • percentage of external entities that have undergone some form of assessment, risk assessment, and audit
  • Count or percentage of suppliers or external entities in certain categories, for example:
    • by agreement type (formal contract with and without SLA, memorandum of agreement, purchase order, licensing agreement, and other, including no type of agreement)
    • by number or type of unforeseen or disruptive agreement changes
    • by performance problems
    • by problems relating to responsiveness or timeliness involving EDM practices, for example participation in service continuity planning or change management boards
    • located in less suitable geographic or political regions (for example characterized by political instability or physical security problems)
    • count of suppliers with which the acquirer has open litigation involving the critical service
    • by supplier adherence or compliance with independent standards
  • number of supplier relationships terminated for performance failures
  • percentage or absolute count of suppliers that failed to perform as expected during a disruptive event
  • count of suppliers that are single points of failure
  • percentage of suppliers whose deliverables have failed to pass inspection
  • changes or variability in resource needs to support the process
  • effectiveness of other acquirer business processes that support EDM (risk management, Human Resources, accounting, etc.)
Q2

CERT-RMM Reference

Consider objectively evaluating adherence of the EDM process against its process description, standards, and procedures, and address non-compliance.

Evaluating adherence to the EDM process may be done by analyzing measures such as:

  • percentage of external dependencies without designated organizational owners
  • percentage of external entities that have undergone some form of assessment, risk assessment, and audit compared to EDM plans and policies
  • count of supplier relationships formed outside the EDM process
  • percentage of external dependency records or database entries with old or incomplete information
Q3

CERT-RMM Reference

Consider ensuring that the acquirer reviews the activities, status, and results of the external dependencies management process with higher-level managers and resolves issues.

Normally, effective review with higher level (or board level) management requires ongoing discussion and identification of effectiveness and cost measures that are important for these stakeholders. These should form the basis for measurements and reporting involving effectiveness and process adherence.

MIL5 - Defined
Performance at MIL5 - Defined means that external dependencies management is performed, planned, managed, measured, and defined across the enterprise to apply to all business units and critical services.
1. Has the acquirer identified, described, and disseminated standard external dependencies management processes that apply across the enterprise?
Alternate
2. Has the acquirer provided individual operating units with guidelines to help them tailor standard enterprise processes to fit their unique operating circumstances?
No
3. Are improvements or changes to external dependency management documented and shared across the acquirer enterprise?
N/A
Option(s) for Consideration
Q1

CERT-RMM Reference

Consider identifying standard, defined EDM processes for the acquirer enterprise. This includes:

  • selecting - from the processes used by business units, divisions, or industry peers - the EDM processes that best meet the needs of the enterprise
  • ensuring that the enterprise's business, policy, and process objectives are appropriately addressed in this standard, defined process
  • documenting the defined process
  • revising the description of the standard, defined enterprise process as necessary
Q2

CERT-RMM Reference

Consider tailoring the enterprise guidelines for the enterprise's defined EDM processes. The purpose of tailoring guidelines is to help individual operating units derive EDM practices that best suit their unique operating circumstances and requirements - while allowing enterprise management to realize predictability, confidence in, and efficiencies in EDM capability across the enterprise.

Tailoring guidelines involve guidance concerning organizationally acceptable refinements and deviations from the defined process. Guidelines may involve any EDM goal or domain. The guidelines may address situations such as:

  • Differences in the mission criticality or importance of critical services across business units

  • Differences in EDM activities dictated by legal differences in the local jurisdiction of a separate business unit. These may involve contract, labor, or privacy law among others.

  • Differences related to the availability of suitable suppliers in different regions

  • Differences in the customer base of different business units. For example an enterprise may issue guidelines to business units that serve private customers, as well as other business units that serve an exclusively governmental customer base. The relevant guidelines would explain how to tailor standard enterprise process to meet the compliance or process requirements of each customer type.
Q3

CERT-RMM Reference

Consider collecting external dependencies management work products, measures, measurement results, and improvement information from business units to support future use and improvement of the enterprise's processes.

Remarks - Maturity Indicator Levels

No remarks have been entered

Glossary

The following definitions are used in the EDM Assessment:
Acceptance TestingAcceptance Testing involves verifying that acquired technology meets the acquirer's resilience requirements for the critical service, for example confidentiality, integrity, availability, and maintainability, as well as other requirements that support the critical service. For example, acceptance testing may be used to verify that:
  • The technology has the necessary functionality or features
  • Hardware and software is genuine and not counterfeit,
  • The technology has not been maliciously tainted or tampered with
AcquirerAn organization that depends on external entities (vendors, infrastructure providers, public services, other business units in some cases) to fulfill its mission or business objectives. Acquirer refers to the assessed or subject organization, e.g. the organization undergoing the EDM Assessment.
Acquirer assetsAssets (people, information, technology, facilities) for which the acquirer is primarily responsible in terms of the assets' viability, productivity, and resilience
AssetsPeople, information, technology, and facilities that are used to provide the critical service being assessed. Several questions in the EDM Assessment refer to acquirer or external assets.

These terms have the following meanings:

Acquirer assets — assets (people, information, technology, facilities) for which the acquirer is primarily responsible in terms of the assets' viability, productivity, and resilience

External assets — assets (people, information, technology, facilities) for which external entities are primarily responsible in terms of the assets' viability, productivity, and resilience

CapacityManaging the demand for technology assets over a range of operational needs.
Capacity managementManaging the demand for technology assets over a range of operational needs
Change Management (change control)Continuous process of controlling changes to information or technology assets, related infrastructure, or any aspect of services, enabling approved changes with minimum disruption
ControlsMethod, policy, or procedure - manual or automated - that is adopted by an organization to ensure the safeguarding of assets, the accuracy and reliability of management information and financial records, administrative efficiency, and adherence to standards
CooperativeDescribes activities or processes that are jointly performed by the acquirer and one or more external entities.
CooperativelyDescribes activities or processes that are jointly performed by the acquirer and one or more external entities.
Critical serviceActivities an organization carries out in the performance of a duty or in the production of a product that is essential to the organization's mission
Disruption managementActivities to manage and mitigate the impact of events that may negatively affect the critical service. These usually involve activities such as incident management, problem management, service/ business continuity, or crisis planning.
DomainIn the context of the EDM Assessment, a domain is a logical grouping of external dependencies management practices that contribute to the cyber resilience of an organization.
EnterpriseThe largest (i.e., highest level) organizational entity to which the acquirer belongs. For some participants, the acquirer is the enterprise itself.
External AssetsAssets (people, information, technology, facilities) for which external entities are primarily responsible in terms of the assets’ viability, productivity, and resilience.
External dependencyA condition in which the production and requirements of one or more products or services provided by the acquirer depend on the actions of an external entity. This is usually because the external entity is a supplier of goods or services to the acquirer; it has access to, ownership of, control of, responsibility for, or some other defined obligation relating to an asset used to provide the critical service.
Related terms:
  • Relationship: the existence of a connection, association or some level of external dependency.
  • Formal agreement: A written agreement that creates obligations between the acquirer and an external entity. Formal agreements can provide clarity on terms, requirements, and responsibilities. Examples include contracts, service level agreements, or operational level agreements. Formal agreements are not required for an external dependency or relationship to exist.
External entityAn organization that is separate from the assessed acquirer or business unit. While these are frequently separate legal entities, they may also be separate business units, affiliates, or divisions within a large enterprise.
External entity typesThe following are EDM assesment external entity types:
  • Supplier
  • Governmental services
  • Industry consortia
  • Infrastructure providers
  • Trusted supplier (ICT)
  • High value service
  • ICT Supply Chain
External processDescribes processes performed using primarily external assets.
Formal agreementA written agreement that creates obligations between the acquirer and an external entity. Formal agreements can provide clarity on terms, requirements, and responsibilities. Examples include contracts, service level agreements, or operational level agreements. Formal agreements are not required for an external dependency or relationship to exist.
Governmental servicesA service provided to people, organizations, or other entities in a political subdivision (nation, state, or locality), usually provided by a governmental department or agency. These services frequently involve security; for example fire, police, and emergency response. Non-emergency examples include the U.S. Postal Service, and transportation management and support agencies (federal and state agencies, regional port authorities, etc.).
High value serviceActivities an organization carries out in the performance of a duty or in the production of a product that is essential to the organization's mission
ICT Supply ChainLinked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of ICT products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer. (2)
IncidentAn event (or series of events) that significantly affects (or has the potential to significantly affect) assets and services and requires the acquirer (and possibly external entities) to respond in some way to prevent or limit adverse impacts.
Industry consortiaVoluntary groups of private industry or public stakeholders working cooperatively to minimize cybersecurity and external dependency risk. This activity frequently involves exchanging information about risks and threats.
Infrastructure providers

A type of supplier that supplies goods or services to a region, economy, infrastructure sector, or political subdivision, and with which the acquirer normally has no commercially practical ability to negotiate the terms and conditions of agreements. Contracts with infrastructure providers are generally “take it or leave it.” Examples include natural gas, water, power, or transportation.

The key difference between a vendor and an infrastructure provider, from the perspective of External Dependencies Management, is that acquirers normally have a very limited ability to negotiate the terms of the relationship with infrastructure providers. Note that this is a relative standard. In other words, large acquirers that do have the ability to negotiate terms with infrastructure providers may wish to treat these external entities as suppliers for the purpose of an assessment. Because the EDM Assessment is intended for critical infrastructure acquirers of different sizes, this is intended to be a flexible definition.

Internal processDescribes processes performed using primarily acquirer assets.
Maturity Indicator Level (MIL)The MIL scale measures the level of process institutionalization and describes attributes indicative of mature capabilities. Higher degrees of institutionalization translate to more stable processes that produce consistent results over time and that are retained during times of operational stress.
Operational resilienceThe organization's ability to adapt to risk that affects its core operational capabilities. Operational resilience is the emergent property of an organization to continue to survive and carry out its mission after disruption that does not exceed its operational limit.
Operational riskPotential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence. Managing risk in the EDM Assessment focuses on operational risks involving the actions of people, technology failures, failed internal processes, and disruptive external events. Operational risk is distinct from, but related to, other enterprise risk areas such as financial and market risk.
PlanA detailed, written formulation of a program of action to satisfy or perform a practice or goal in the EDM Assessment. At higher maturity levels (MIL2 - Planned) the plan is a document to support the acquirer's performance of External Dependencies Management as an organizational capability.
PolicyA high level, overall plan embracing the general goals and acceptable procedures of an organization
PracticeAn activity performed to support a domain goal
ProcessA series of actions or steps taken in order to achieve a particular EDM practice or goal
ProcessesA series of actions or steps taken in order to achieve a particular EDM practice or goal
RelationshipThe existence of a connection, association or some level of external dependency
Resilience requirementA constraint that the acquirer places on internal or external assets to ensure they remain viable and sustainable when charged into production to support a service. These are often expressed in terms of confidentiality, integrity, or availability. Resilience requirements help ensure the protection of high-value assets as well as their continuity when an incident or disruption occurs.
RiskSee Operational risk
ServiceA set of activities the acquirer carries out in the performance of a duty or in the production of a product
Situational awarenessThe purpose of situational awareness is to actively discover and analyze information related to immediate operational stability and security, and to coordinate such information across the enterprise.
StakeholderPerson or acquirer that has a vested interest in the acquirer or its activities.
SupplierAn external entity that:
  1. supplies one or more of the following to the acquirer:
    1. information and communications technology (ICT)
    2. services supported by ICT
    3. services that support the acquirer’s operation or sustainment of ICT, and
  2. with which the acquirer has some ability to negotiate the terms and conditions of formal agreements that govern the acquirer-supplier relationship.

Suppliers may also be known subcontractors, vendors, separate divisions or affiliates of a large enterprise, or third parties.
Supply chainThe material and informational interchanges in the logistical process stretchingfrom acquisition of raw materials to delivery of finished products to the end user. All vendors, service providers and customers are links in the supply chain.

Source: Council of Supply Chain Management Professionals, 2013 Glossary.

ThreatThe combination of a vulnerability, a threat actor, a motive (if the threat actor is a person or persons), and the potential to produce a harmful outcome for the acquirer
Trusted supplier (ICT)A supplier that provides information and communications technology to the acquirer, which the acquirer has justifiable reason to believe meets appropriate standards for the use intended. One way for the supplier to achieve this is by demonstrating compliance with standards set forth by an acknowledged authority to ensure the integrity of the technology purchased. The authority may be the original equipment manufacturer or an appropriate industry body (such as The Open Group, International Standards Organization, or similar body). Well-established experience with suppliers may also establish trust. NIST Special Publication 800-53 states “services provided to organizations through well-established . . . business relationships may provide degrees of trust in such services within the tolerable risk range of the authorizing officials and organizations using the services.”

Using a trusted ICT supplier cannot provide complete protection against vulnerabilities, malicious tampering, or counterfeit ICT; however, it does indicate the presence of management controls against this specific risk.

VulnerabilitiesA characteristic of design, location, security posture, operation, or any combination thereof that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation
VulnerabilityA characteristic of design, location, security posture, operation, or any combination thereof that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation

EDM Assessment Acronyms

CERT-EU – Computer Emergence Response Team-European Union

EDM – External Dependencies Management

ICS-CERT – Industrial Control Systems Cyber Emergency Response Team

IC3 – Internet Crime Complaint Center

ICT – Information and communications technologies

ISAC – Information Sharing and Analysis Center

MAC – moves, adds, and changes

MIL – Maturity Indicator Level

NCICC – National Cybersecurity and Communications Integration Center

NOAA – National Oceanic and Atmospheric Administration

RFP – Request for proposal

RMM – Resilience Management Model

SAS 70 –Statement on Auditing Standards number 70

SSAE 16 – Statement on Standards for Attestation Engagements number 16

SIEM Alert – security incident and event management alert

Sources Referenced in this Report

Resources used in the EDM Assessment are drawn primarily from publicly available sources. Please note that references to the IT Infrastructure Library (ITIL) and documents from the International Organization for Standardization (ISO) have also been included because of their relevance. Obtaining these sources may require a fee to the sponsoring organizations.

Resource NameURL
Board of Governors of the Federal Reserve System, December 5, 2013. “Guidance on Managing Outsourcing Risk.” https://www.federalreserve.gov/supervisionreg/srletters/sr1319.htm
CERT® Resilience Management Model (CERT-RMM) https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508084
CERT® CMMI for Acquisition http://www.sei.cmu.edu/reports/10tr032.pdf
ITIL Service Design, The Stationery Office, 2011, Best Management Practice. https://www.axelos.com/best-practice-solutions/itil/what-is-itil
ISO 22301 First Edition, “Societal security - Business continuity management systems - Requirements.” http://www.iso.org/iso/catalogue_detail?csnumber=50038
ISO 27036-1, “Information technology-Security techniques - Information security for supplier relationships – Part 1: Overview and concepts.” https://www.iso.org/standard/59648.html
ISO 27036-2, “Information technology-Security techniques-Information security for supplier relationships – Part 2: Requirements.” https://www.iso.org/standard/59680.html
ISO 27036-3, “Information Technology - Security Techniques - Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security.” https://www.iso.org/standard/59688.html
ISO 28000 First Edition, “Specifications for security management systems for the supply chain.” http://www.iso.org/iso/catalogue_detail?csnumber=44641
NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST CSF) https://www.nist.gov/cyberframework/framework
NIST Special Publication 800-18 Revision 1“Guide for Developing Security Plans for Federal Information Systems.” https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems.” https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
NIST Special Publication 800-34, “Contingency Planning for Federal Information Systems.” https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
NIST Special Publication 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View.” https://csrc.nist.gov/publications/detail/sp/800-39/final
NIST Special Publication 800-40 Revision 3, “Guide to Enterprise Patch Management Technologies.” https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for Federal information Systems and Organizations.” https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
NIST Special Publication 800-55, “Performance Measurement Guide for Information Security.” https://csrc.nist.gov/publications/detail/sp/800-55/rev-1/final
NIST Special Publication 800-61, “Computer Security Incident Handling Guide.” https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
NIST Special Publication 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.” https://csrc.nist.gov/publications/detail/sp/800-84/final
NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.” https://csrc.nist.gov/publications/detail/sp/800-137/final
NIST 800-161, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.” https://csrc.nist.gov/publications/detail/sp/800-161/final
NIST IR 7622, “Notional Supply Chain Risk Management Practices for Federal Information Systems.” https://csrc.nist.gov/publications/detail/nistir/7622/final
NIST IR 7756 “CAESARS Framework Extension: An Enterprise Continuous MonitoringTechnical Reference Model (Second Draft).” https://csrc.nist.gov/publications/detail/nistir/7756/draft
OCC Bulletin 2013-29. Subject: Third-Party Relationships United States Department of the Treasury, October 30, 2013 https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
Open Group, Open Trusted Technology Provider Standard, Version 1.1 https://www2.opengroup.org/ogsys/catalog/C147

Appendix A:

Additional Data Views

NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Identify (ID)
IDENTIFY Summary
33
0
68
33%
The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy

ID.AM-1: Physical devices and systems within the organization are inventoried

1

ID.AM-2: Software platforms and applications within the organization are inventoried

1

ID.AM-3: Organizational communication and data flows are mapped

Not Applicable

ID.AM-4: External information systems are catalogued

1

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value

Not Applicable

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third - party stakeholders (e.g., suppliers, customers, partners) are established

1

Business Environment (BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

1

ID.BE-1: The organization’s role in the supply chain is identified and communicated

2
6

ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

Not Applicable

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

Not Applicable

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

2
4

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g.under duress / attack, during recovery, normal operations)

3
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Identify (ID)

Governance (GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

ID.GV-1: Organizational cybersecurity policy is established and communicated

Not Applicable

ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners

1

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

2

ID.GV-4: Governance and risk management processes address cybersecurity risks

1

Risk Assessment (RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented

2

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

2

ID.RA-3: Threats, both internal and external, are identified and documented

1
2

ID.RA-4: Potential business impacts and likelihoods are identified

1

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

1
2

ID.RA-6: Risk responses are identified and prioritized

1
1

Risk Management Strategy (RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders

1
2

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

Not Applicable

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Identify (ID)

Supply Chain Risk Management (SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

4
6

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

6
8

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

4
10

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

5
10

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

3
3
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Protect (PR)
PROTECT Summary
13
0
30
30%
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

Identity Management, Authentication and Access Control (AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

2
3

PR.AC-2: Physical access to assets is managed and protected

2
3

PR.AC-3: Remote access is managed

2
3

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

1
1

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

Not Applicable

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

1

PR.AC-7: Users, devices, and other assets are authenticated (e.g., singlefactor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

1

Awareness and Training (AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1: All users are informed and trained

Not Applicable

PR.AT-2: Privileged users understand their roles and responsibilities

Not Applicable

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

1

PR.AT-4: Senior executives understand their roles and responsibilities

Not Applicable

PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Protect (PR)

Data Security (DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1: Data-at-rest is protected

Not Applicable

PR.DS-2: Data-in-transit is protected

Not Applicable

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

Not Applicable

PR.DS-4: Adequate capacity to ensure availability is maintained

Not Applicable

PR.DS-5: Protections against data leaks are implemented

Not Applicable

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

Not Applicable

PR.DS-7: The development and testing environment(s) are separate from the production environment

Not Applicable

PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Protect (PR)

Information Protection Processes and Procedures (IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

Not Applicable

PR.IP-2: A System Development Life Cycle to manage systems is implemented

2

PR.IP-3: Configuration change control processes are in place

4

PR.IP-4: Backups of information are conducted, maintained, and tested

Not Applicable

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met

2

PR.IP-6: Data is destroyed according to policy

Not Applicable

PR.IP-7: Protection processes are improved

1

PR.IP-8: Effectiveness of protection technologies is shared

2
1

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

2
1

PR.IP-10: Response and recovery plans are tested

Not Applicable

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

Not Applicable

PR.IP-12: A vulnerability management plan is developed and implemented

1

Maintenance (MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

2

PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

1
4
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Protect (PR)

Protective Technology (PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-1: Audit/log records ar determined, documented, implemented, and reviewed in accordance with policy

Not Applicable

PR.PT-2: Removable media is protected and its use restricted according to policy

Not Applicable

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

Not Applicable

PR.PT-4: Communications and control networks are protected

Not Applicable

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Detect (DE)
DETECT Summary
0
0
4
0%
The Detect Function enables timely discovery of cybersecurity events.

Anomalies and Events (AE): Anomalous activity is detected and the potential impact of events is understood.

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

Not Applicable

DE.AE-2: Detected events are analyzed to understand attack targets and methods

Not Applicable

DE.AE-3: Event data are collected and correlated from multiple sources and sensors

Not Applicable

DE.AE-4: Impact of events is determined

Not Applicable

DE.AE-5: Incident alert thresholds are established

1

Security Continuous Monitoring (CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

DE.CM-1: The network is monitored to detect potential cybersecurity events

Not Applicable

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events

Not Applicable

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

Not Applicable

DE.CM-4: Malicious code is detected

Not Applicable

DE.CM-5: Unauthorized mobile code is detected

Not Applicable

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

2

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

Not Applicable

DE.CM-8: Vulnerability scans are performed

1
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Detect (DE)

Detection Processes (DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous event

DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability

Not Applicable

DE.DP-2: Detection activities comply with all applicable requirements

Not Applicable

DE.DP-3: Detection processes are tested

Not Applicable

DE.DP-4: Event detection information is communicated

Not Applicable

DE.DP-5: Detection processes are continuously improved

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Respond (RS)
RESPOND Summary
1
0
4
20%
The Respond function supports the ability to contain the impact of a potential cybersecurity event.

Response Planning (RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

RS.RP-1: Response plan is executed during or after an incident

Not Applicable

Communications (CO): Response activities are coordinated with internal and external stakeholders (e.g.external support from law enforcement agencies)

RS.CO-1: Personnel know their roles and order of operations when a response is needed

Not Applicable

RS.CO-2: Incidents are reported consistent with established criteria

Not Applicable

RS.CO-3: Information is shared consistent with response plans

Not Applicable

RS.CO-4: Coordination with stakeholders occurs consistent with response plans

Not Applicable

RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.

1
2

Analysis (AN): Analysis is conducted to ensure effective response and support recovery activities.

RS.AN-1: Notifications from detection systems are investigated

Not Applicable

RS.AN-2: The impact of the incident is understood

Not Applicable

RS.AN-3: Forensics are performed

Not Applicable

RS.AN-4: Incidents are categorized consistent with response plans

Not Applicable

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

1
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Respond (RS)

Mitigation (MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

RS.MI-1: Incidents are contained

Not Applicable

RS.MI-2: Incidents are mitigated

Not Applicable

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

1

Improvements (IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

RS.IM-1: Response plans incorporate lessons learned

Not Applicable

RS.IM-2: Response strategies are updated

Not Applicable
NIST Cybersecurity Framework Category Summary
Legend
(example responses)
number of practice questions
Legend
7
7
7
Legend
practices performed
practices incompletely performed
practices not performed
Legend
Not applicable
Legend
Please see legend of the NIST Cybersecurity Framework Summary page.
Function
Category
Subcategory
EDM References
Recover (RC)
RECOVER Summary
0
0
0
0%
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.

Recovery Planning (RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

Not Applicable

Improvements (IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.IM-1: Recovery plans incorporate lessons learned

Not Applicable

RC.IM-2: Recovery strategies are updated

Not Applicable

Communications (CO): Restoration activities are coordinated with internal and external parties (e.g.coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

RC.CO-1: Public relations are managed

Not Applicable

RC.CO-2: Reputation is repaired after an incident

Not Applicable

RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

Not Applicable
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Identify (ID)
IDENTIFY Summary
33
0
68
33%
The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy

ID.AM-1: Physical devices and systems within the organization are inventoried

RF
G1.Q3

ID.AM-2: Software platforms and applications within the organization are inventoried

RF
G1.Q3

ID.AM-3: Organizational communication and data flows are mapped

 
N/A

ID.AM-4: External information systems are catalogued

RF
G1.Q3

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value

RF
G1.Q2

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third - party stakeholders (e.g., suppliers, customers, partners) are established

RMG
G6.Q2
G6.Q3
SPS
G3.Q1
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Identify (ID)

Business Environment (BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

RF
G1.Q1
G1.Q2

ID.BE-1: The organization’s role in the supply chain is identified and communicated

RF
G2.Q1
G2.Q2
G2.Q3
G2.Q4
G3.Q2
S
IP
GS
G4.Q2
G5.Q1
RMG
G2.Q1
G6.Q1

ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

 
N/A

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

 
N/A

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

RF
G2.Q4
G4.Q2
G6.Q2
RMG
G1.Q1
S
IP
GS
G1.Q2
G1.Q3

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g.under duress / attack, during recovery, normal operations)

RF
G1.Q4
G2.Q3
G6.Q1
RMG
G2.Q1
G6.Q1

Governance (GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

ID.GV-1: Organizational cybersecurity policy is established and communicated

 
N/A

ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners

RMG
G6.Q2
G6.Q3

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

RF
G1.Q4
G2.Q2

ID.GV-4: Governance and risk management processes address cybersecurity risks

RF
G3.Q1
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Identify (ID)

Risk Assessment (RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented

RF
G6.Q2
RMG
G2.Q4

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

SPS
G3.Q1
G3.Q2
G3.Q4
G3.Q5

ID.RA-3: Threats, both internal and external, are identified and documented

SPS
G3.Q2
G3.Q3
S
IP

ID.RA-4: Potential business impacts and likelihoods are identified

RF
G3.Q3

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

RF
G3.Q2
S
IP
GS
G3.Q3

ID.RA-6: Risk responses are identified and prioritized

RF
G3.Q2
S
IP
GS

Risk Management Strategy (RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders

RF
G3.Q1
RMG
G2.Q5
G2.Q6
G6.Q5

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

 
N/A

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

 
N/A
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Identify (ID)

Supply Chain Risk Management (SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

RF
G2.Q1
G3.Q1
G3.Q2
S
IP
GS
RMG
G2.Q2
G2.Q5
G2.Q6
G3.Q2
G4.Q3
G4.Q4
G5.Q1
G5.Q2
G5.Q3
G6.Q5
SPS
G2.Q4

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

RF
G2.Q1
G3.Q2
S
IP
GS
G3.Q3
G4.Q1
G4.Q3
G4.Q4
G6.Q3
G6.Q4
G6.Q5
RMG
G1.Q1
S
IP
GS
G1.Q2
G1.Q3
G2.Q3
G2.Q5
G2.Q6
SPS
G1.Q4
IM
SC
G2.Q2
IM
SC
G2.Q4

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

RF
G2.Q1
G2.Q2
G2.Q3
G2.Q4
G4.Q1
G4.Q2
G4.Q3
G4.Q4
G5.Q1
G5.Q2
G5.Q3
G5.Q4
G5.Q5
G5.Q6
RMG
G2.Q1
G4.Q3
G4.Q5
G5.Q1
G5.Q2
G6.Q1
SPS
G2.Q2
IM
SC
G2.Q4
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Identify (ID)

Supply Chain Risk Management (SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

RF
G3.Q2
S
IP
GS
G3.Q3
RMG
G2.Q2
G2.Q3
G2.Q4
G2.Q5
G2.Q6
G3.Q1
G3.Q2
G3.Q3
G3.Q4
G4.Q3
G4.Q4
G4.Q5
G6.Q2
G6.Q3
G6.Q4
SPS
G2.Q1
IM
SC
G2.Q3
G2.Q4

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

RF
G5.Q6
SPS
G1.Q1
G1.Q3
G1.Q4
IM
SC
G1.Q5
IM
SC
G2.Q1
IM
SC
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Protect (PR)
PROTECT Summary
13
0
30
30%
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

Identity Management, Authentication and Access Control (AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

RMG
G7.Q1
G7.Q2
G7.Q3
I
T
F
G7.Q4
I
T
F

PR.AC-2: Physical access to assets is managed and protected

RMG
G7.Q1
G7.Q2
G7.Q3
I
T
F
G7.Q4
I
T
F

PR.AC-3: Remote access is managed

RMG
G7.Q1
G7.Q2
G7.Q3
I
T
F
G7.Q4
I
T
F

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

RMG
G7.Q3
I
T
F

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

 
N/A

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

RMG
G7.Q1

PR.AC-7: Users, devices, and other assets are authenticated (e.g., singlefactor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

RMG
G7.Q1
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Protect (PR)

Awareness and Training (AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1: All users are informed and trained

 
N/A

PR.AT-2: Privileged users understand their roles and responsibilities

 
N/A

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

RF
G5.Q1

PR.AT-4: Senior executives understand their roles and responsibilities

 
N/A

PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities

SPS
G3.Q1

Data Security (DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1: Data-at-rest is protected

 
N/A

PR.DS-2: Data-in-transit is protected

 
N/A

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

 
N/A

PR.DS-4: Adequate capacity to ensure availability is maintained

RMG
G4.Q5

PR.DS-5: Protections against data leaks are implemented

 
N/A

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

 
N/A

PR.DS-7: The development and testing environment(s) are separate from the production environment

 
N/A

PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity

 
N/A
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Protect (PR)

Information Protection Processes and Procedures (IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

 
N/A

PR.IP-2: A System Development Life Cycle to manage systems is implemented

RF
G6.Q5
RMG
G5.Q1

PR.IP-3: Configuration change control processes are in place

RMG
G4.Q1
I
T
F
P
G4.Q2
I
T
F
P

PR.IP-4: Backups of information are conducted, maintained, and tested

 
N/A

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met

RF
G2.Q2
RMG
G3.Q1

PR.IP-6: Data is destroyed according to policy

 
N/A

PR.IP-7: Protection processes are improved

RMG
G5.Q3

PR.IP-8: Effectiveness of protection technologies is shared

RMG
G5.Q3
SPS
G3.Q3
S
IP
G3.Q4
G3.Q6

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

SPS
G1.Q1
G1.Q3
G1.Q4
IM
SC
G1.Q5
IM
SC

PR.IP-10: Response and recovery plans are tested

 
N/A

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

RMG
G7.Q2

PR.IP-12: A vulnerability management plan is developed and implemented

RMG
G2.Q4

Maintenance (MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

RMG
G4.Q2
I
T
F
P

PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

RMG
G4.Q2
I
T
F
P
G7.Q1
G7.Q4
I
T
F
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Protect (PR)

Protective Technology (PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-1: Audit/log records ar determined, documented, implemented, and reviewed in accordance with policy

 
N/A

PR.PT-2: Removable media is protected and its use restricted according to policy

 
N/A

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

 
N/A

PR.PT-4: Communications and control networks are protected

 
N/A

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations

 
N/A
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Detect (DE)
DETECT Summary
0
0
4
0%
The Detect Function enables timely discovery of cybersecurity events.

Anomalies and Events (AE): Anomalous activity is detected and the potential impact of events is understood.

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

 
N/A

DE.AE-2: Detected events are analyzed to understand attack targets and methods

 
N/A

DE.AE-3: Event data are collected and correlated from multiple sources and sensors

 
N/A

DE.AE-4: Impact of events is determined

 
N/A

DE.AE-5: Incident alert thresholds are established

SPS
G1.Q2

Security Continuous Monitoring (CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

DE.CM-1: The network is monitored to detect potential cybersecurity events

 
N/A

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events

 
N/A

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

 
N/A

DE.CM-4: Malicious code is detected

 
N/A

DE.CM-5: Unauthorized mobile code is detected

 
N/A

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

RMG
G3.Q1
G4.Q4

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

 
N/A

DE.CM-8: Vulnerability scans are performed

RMG
G2.Q4
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Detect (DE)

Detection Processes (DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous event

DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability

 
N/A

DE.DP-2: Detection activities comply with all applicable requirements

 
N/A

DE.DP-3: Detection processes are tested

 
N/A

DE.DP-4: Event detection information is communicated

 
N/A

DE.DP-5: Detection processes are continuously improved

 
N/A
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Respond (RS)
RESPOND Summary
1
0
4
20%
The Respond function supports the ability to contain the impact of a potential cybersecurity event.

Response Planning (RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

RS.RP-1: Response plan is executed during or after an incident

 
N/A

Communications (CO): Response activities are coordinated with internal and external stakeholders (e.g.external support from law enforcement agencies)

RS.CO-1: Personnel know their roles and order of operations when a response is needed

 
N/A

RS.CO-2: Incidents are reported consistent with established criteria

 
N/A

RS.CO-3: Information is shared consistent with response plans

 
N/A

RS.CO-4: Coordination with stakeholders occurs consistent with response plans

 
N/A

RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.

SPS
G3.Q3
S
IP
G3.Q4
G3.Q5
G3.Q6

Analysis (AN): Analysis is conducted to ensure effective response and support recovery activities.

RS.AN-1: Notifications from detection systems are investigated

 
N/A

RS.AN-2: The impact of the incident is understood

 
N/A

RS.AN-3: Forensics are performed

 
N/A

RS.AN-4: Incidents are categorized consistent with response plans

 
N/A

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

RMG
G2.Q4
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Respond (RS)

Mitigation (MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

RS.MI-1: Incidents are contained

 
N/A

RS.MI-2: Incidents are mitigated

 
N/A

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

RMG
G2.Q4

Improvements (IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

RS.IM-1: Response plans incorporate lessons learned

 
N/A

RS.IM-2: Response strategies are updated

 
N/A
NIST Cybersecurity Framework Category Performance
Legend
G#.Q# = Goal Number and Question Number
 
Performed
 
Incompletely Performed
 
Not Performed
 
EDM Domain
 
No Response
NA
Please see legend of the NIST Cybersecurity Framework Summary page
S
Suppliers
IP
Infrastructure Providers
G
Government Services
I
Information
T
Technology
F
Facilities
P
People
IM
Incident Management
SC
Service Continuity
Function
Category
Subcategory
EDM References
Recover (RC)
RECOVER Summary
0
0
0
0%
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.

Recovery Planning (RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

 
N/A

Improvements (IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.IM-1: Recovery plans incorporate lessons learned

 
N/A

RC.IM-2: Recovery strategies are updated

 
N/A

Communications (CO): Restoration activities are coordinated with internal and external parties (e.g.coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

RC.CO-1: Public relations are managed

 
N/A

RC.CO-2: Reputation is repaired after an incident

 
N/A

RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

 
N/A